From: "John S. Denker" <jsd@monmouth.com>
To: bert hubert <ahu@ds9a.nl>
Cc: netdev <netdev@oss.sgi.com>
Subject: Re: ?completeness of IPsec feature-set
Date: Thu, 27 Mar 2003 16:48:37 -0500 [thread overview]
Message-ID: <3E8371B5.7030200@monmouth.com> (raw)
In-Reply-To: <20030327133659.GA11820@outpost.ds9a.nl>
On 03/27/2003 08:36 AM, bert hubert wrote:
>
> Racoon is just an IKE daemon - Linux is not bound to it.
That's true. But until today there had been no
discussion on netdev of any userspace tools except
KAME, as far as google and I can tell. It seems
high time to begin such a discussion.
> You are free to write your own.
I think before I did that I would throw away all
the linux-2.5 built-in IPsec features and use
FreeS/WAN, which has a reasonably complete feature-set.
It's amusing that some people flame FreeS/WAN,
alleging "it's _not_ integrated, and this is a
major problem" ... and alleging that the linux-2.5
stuff solves this problem. Somehow I don't understand
how telling people to write their own key-exchange
daemon is the winning "integrated" solution.
> The OpenBSD one (isakpmd) also works under linux.
Folks who wish to pursue this option are encouraged
to look at
http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0582.html
which announces a port of isakmpd to linux-2.5,
available from
http://bender.thinknerd.de/~thomas/isakmpd-linux-2.5/
BSD IPsec in general and isakmpd in particular have
a better design and vastly better documentation than
KAME.
However, the existence of isakmpd does not answer all
questions about the completeness of the IPsec feature-
set.
For example, BSD provides an "enc0" device and documents
using it to implement network security rules. Alas I
see no sign that linux-2.5 provides this feature. If
I am overlooking something, please explain.
I ask again: Is there a document somewhere listing the
set of desirable features and the status thereof? Or
otherwise is there something to reassure would-be users
that a complete feature-set will be provided?
http://www.monmouth.com/~jsd/vpn/ipsec+routing/feature-list.htm
next prev parent reply other threads:[~2003-03-27 21:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-27 11:13 ?completeness of IPsec feature-set John S. Denker
2003-03-27 13:36 ` bert hubert
2003-03-27 21:48 ` John S. Denker [this message]
2003-03-27 21:58 ` bert hubert
2003-03-27 22:58 ` John S. Denker
2003-03-27 23:21 ` James Morris
2003-03-28 6:32 ` Pekka Savola
2003-03-28 10:19 ` bert hubert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E8371B5.7030200@monmouth.com \
--to=jsd@monmouth.com \
--cc=ahu@ds9a.nl \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).