A radical restructuring of IPsec...
Kris Kennaway
kris at obsecurity.org
Sat Apr 7 04:23:23 UTC 2007
On Fri, Apr 06, 2007 at 04:49:01PM +0200, Ivan Voras wrote:
> gnn at freebsd.org wrote:
>
> >The patch removes Kame derived IPsec from the tree, and adds v6
> >support to FAST_IPSEC. The IPSEC kernel option is removed, but the
> >FAST_IPSEC option remains. This is a test patch and has a known
> >problem with routing packets through a node. Nodes can operate in a
> >host mode, that is they are the endpoint of a tunnel.
>
> Just a quick question: Is the reason for this simplification,
> performance, cleanup (I see spl...() functions removed), or something else?
KAME IPSEC is both giant-locked and lower performance than fast IPSEC
(which also integrates with crypto hardware devices). The missing
piece from the latter is what George has implemented, namely IPv6
support.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070407/812e643d/attachment.pgp
More information about the freebsd-net
mailing list