[Openswan Users] ipsec look on 2.6
paul at xelerance.com
Thu Dec 1 18:49:26 CET 2005
On Thu, 1 Dec 2005, Herbert Xu wrote:
> Well issues such as seeing decrypted packets in tcpdump is orthogonal
> to having ipsecX interfaces. In fact, as soon as the current netfilter
> IPsec patches are merged, it will be quite easy to add the necessary
> hooks so that tcpdump sees the plain-text packets on both inbound and
> outbound in addition to the encrypted ones.
> This will of course also provide all the needed functionality for
> complete control with netfilter on IPsec.
Is the NAT-T code also moving from XFRM to the netfilter? The advantage
would be that one piece of nat-t code works on both NETKEY and KLIPS. The
problem with the current NETKEY is that it is very specific to apply only
to IPsec, while the openswan nat-traversal patch is more generic, but
currently is not implemented as a netfilter module, so it requires a change
in udp.c, which requires a kernel recompile. If we get nat-t to be done
by a netfilter module, then everyone gets to easilly choice between both
stacks, depending on their needed featureset.
> > AFAIK KLIPS uses radij trees where NETKEY has to search linearly through
> > kernel state? At least that was what I was told. Especially when doing OE,
> > a lot of pass policies are added to the kernel that this becomes important.
> It is true that the kernel currently searches policies (what KLIPS call
> eroutes) linearly. However, unlike KLIPS, the native stack has a dst
> cache which means that policy lookups are usually done only once for
> each flow.
Ah, I did not know about that.
> > > The in-kernel stack fully supports PMTU with IPsec.
> > Do you know when this was added?
> It went into 2.6.12 which was released nearly six months ago.
Ahhh. Thanks for the pointers! At least it gives me something
positive to counter the sk_alloc crap caused by 2.6.12 :)
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users