[Openswan Users] Re: ipsec look on 2.6

[Peter McGill]

> > > - ipsecX interfaces
> >
> > This is arguable as to whether it's an advantage since it introduces
> > other problems such as how it interacts with policy routing.
>
> From the enduser point of view, this makes tremendous sense. And even for
> developers, seeing plaintext packets with tcpdump, and crossing your 
> fingers
> that the packets will be encrypted after tcpdump can no longer see the
> packets is to me just a very bad design.

As an end user, I can definitely say I like the ipsecX interfaces.
I find it makes firewalling and debugging easier and perhaps more secure.

For example, how else would one determine which packets we're from
10.10.10.0/24 spoofed from internet and which were from 10.10.10.0/24
branch office tunnel? Would marking incoming ESP packets work, or
would the marking disappear with the decapsulation?

Even if it's possible without ipsecX interfaces, it's still easier with 
ipsecX
interfaces, and more straight forward for the user, after all pppoe, ppp and
other tunnelling protocols often create their own interfaces too, that 
doesn't
make it right of course, but I think most people like it, I do.

When I upgrade to kernel 2.6, in the absence of other significant 
differences,
I would choose KLIPS over NETKEY for the ipsecX interfaces. But I'm still
waiting for 2.6 to become mainstream. As for problems with policy routing,
I haven't experienced any on 2.4, granted I'm only doing a small amount of
policy routing, but I've had no difficulty.

I suppose if you wanted to make everyone happy, you could make ipsecX
interfaces a compile option, assuming it didn't create too much extra work.


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited