remove IPsec SKIPJACK support...
John-Mark Gurney
jmg at funkthat.com
Wed Jul 29 17:10:54 UTC 2015
John-Mark Gurney wrote this message on Wed, Jul 29, 2015 at 09:11 -0700:
> George Neville-Neil wrote this message on Wed, Jul 29, 2015 at 10:35 -0400:
> > That's fine so long as its removed in HEAD now, and then the warning can
> > go into 10 aka 10.3.
>
> As I said, setkey doesn't support it.. and I looked at the ports for
> racoon2 and strongswan (has it in their library, but, and neither support it... Are there any other
> programs (besides custom software) that can do secdb manipulations that
> could possibly create a skipjack sdb entry?
Checked the other two IKE daemons in ports, and ipsec-tools does not
use it, and isakmpd has a define in the OpenBSD specific headers (which
we don't use), but doesn't use it for anything...
> If not, putting warning into 9 and 10 seems excessive for a feature that
> people can't even use...
>
> > On 28 Jul 2015, at 13:25, Adrian Chadd wrote:
> >
> > > I'd put together a deprecation plan, which starts with the kernel
> > > warning that this stuff is being removed, MFC that to stable/10 and
> > > stable/9 so people aren't surprised when they upgrade, and then have
> > > it removed in 11.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-net
mailing list