[Openswan Users] ipsec look on 2.6

Herbert Xu herbert at gondor.apana.org.au
Thu Dec 1 21:02:41 CET 2005

On Thu, Dec 01, 2005 at 07:36:52AM +0100, Paul Wouters wrote:
> > > - ipsecX interfaces
> >
> > This is arguable as to whether it's an advantage since it introduces
> > other problems such as how it interacts with policy routing.
> >From the enduser point of view, this makes tremendous sense. And even for
> developers, seeing plaintext packets with tcpdump, and crossing your fingers
> that the packets will be encrypted after tcpdump can no longer see the
> packets is to me just a very bad design.

Well issues such as seeing decrypted packets in tcpdump is orthogonal
to having ipsecX interfaces.  In fact, as soon as the current netfilter
IPsec patches are merged, it will be quite easy to add the necessary
hooks so that tcpdump sees the plain-text packets on both inbound and
outbound in addition to the encrypted ones.

This will of course also provide all the needed functionality for
complete control with netfilter on IPsec.
> > > - non-lineair SA search
> >
> > Huh?
> AFAIK KLIPS uses radij trees where NETKEY has to search linearly through
> kernel state? At least that was what I was told. Especially when doing OE,
> a lot of pass policies are added to the kernel that this becomes important.

It is true that the kernel currently searches policies (what KLIPS call
eroutes) linearly.  However, unlike KLIPS, the native stack has a dst
cache which means that policy lookups are usually done only once for
each flow.

Of course, having a more efficient data strucutre for initial lookup is
on our TODO list.

> > > - most specific route first selection on SA's
> >
> > Works for the in-kernel stack too.
> Is this used per default as well?

Yes it is used by default with Openswan.  In fact the native stack's
policy (eroute) selection can be done in whatever manner you like.
The Openswan code simply sets the priorities such that it comes out
in the same order as KLIPS.

See the priority calculation in netlink_raw_eroute.

> > The in-kernel stack fully supports PMTU with IPsec.
> Do you know when this was added?

It went into 2.6.12 which was released nearly six months ago.

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

More information about the Users mailing list