On Thu, Mar 27, 2003 at 04:48:37PM -0500, John S. Denker wrote:
> I think before I did that I would throw away all the linux-2.5 built-in
> IPsec features and use FreeS/WAN, which has a reasonably complete
> It's amusing that some people flame FreeS/WAN, alleging "it's _not_
> integrated, and this is a major problem" ... and alleging that the
> linux-2.5 stuff solves this problem. Somehow I don't understand how
> telling people to write their own key-exchange daemon is the winning
> "integrated" solution.
I sense some... anger. Linux provides the RFC PF_KEY protocol and also uses
the RFC ioctls to support IPSEC. Any compliant IKE will work against it.
That is how development works in the kernel.
> For example, BSD provides an "enc0" device and documents using it to
> implement network security rules. Alas I see no sign that linux-2.5
> provides this feature. If I am overlooking something, please explain.
'enc0' is an internal abstraction, do you need it?
> I ask again: Is there a document somewhere listing the set of desirable
> features and the status thereof? Or otherwise is there something to
> reassure would-be users that a complete feature-set will be provided?
Right now, the kernel side of things is nearly complete. I sorely miss IPSEC
NAT traversal which appears to be pretty patented.
This is mostly about userspace. The current attitude is that the kernel
provides the hooks and we then hope people start coding against that
interface. A large amount of the things you suggest can be implemented
Some time ago I took a small shot at porting the freeswan ike to the
standardised IPSEC ioctls add PF_KEY protocol but it differed too wildly. It
may well be useful to continue this effort.
http://www.PowerDNS.com Open source, database driven DNS Software
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO