[Openswan Users] ipsec look on 2.6

[Paul Wouters]

On Thu, 1 Dec 2005, Herbert Xu wrote:

> Well issues such as seeing decrypted packets in tcpdump is orthogonal
> to having ipsecX interfaces.  In fact, as soon as the current netfilter
> IPsec patches are merged, it will be quite easy to add the necessary
> hooks so that tcpdump sees the plain-text packets on both inbound and
> outbound in addition to the encrypted ones.

That's good!

> This will of course also provide all the needed functionality for
> complete control with netfilter on IPsec.

Is the NAT-T code also moving from XFRM to the netfilter? The advantage
would be that one piece of nat-t code works on both NETKEY and KLIPS. The
problem with the current NETKEY is that it is very specific to apply only
to IPsec, while the openswan nat-traversal patch is more generic, but
currently is not implemented as a netfilter module, so it requires a change
in udp.c, which requires a kernel recompile. If we get nat-t to be done
by a netfilter module, then everyone gets to easilly choice between both
stacks, depending on their needed featureset.

> > AFAIK KLIPS uses radij trees where NETKEY has to search linearly through
> > kernel state? At least that was what I was told. Especially when doing OE,
> > a lot of pass policies are added to the kernel that this becomes important.
>
> It is true that the kernel currently searches policies (what KLIPS call
> eroutes) linearly.  However, unlike KLIPS, the native stack has a dst
> cache which means that policy lookups are usually done only once for
> each flow.

Ah, I did not know about that.

> > > The in-kernel stack fully supports PMTU with IPsec.
> >
> > Do you know when this was added?
>
> It went into 2.6.12 which was released nearly six months ago.

Ahhh. Thanks for the pointers! At least it gives me something
positive to counter the sk_alloc crap caused by 2.6.12 :)

Paul
-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)