(usagi-users 00385) Re: IPSec for IPv6 on Linux available

[Gerhard Gessler <gessler@xxxxxxx>]

Kauznori Miyazawa schrieb:
> 
> On Tue, 03 Apr 2001 10:15:46 +0200
> Gerhard Gessler <gessler@xxxxxxx> wrote:
> 
> 
> > This is correct. I know the the KLIPS interface and it currently only
> > supports IPv4 (hard wired in code). The FreeSWAN group is planning a
> > redesign (don't ask me when it will happen) and it seems that they tend
> > to use netfilter hooks and tables for that. The appealing thing there is
> > that one can use the netfilter infrastructure for packet matching and
> > packet mangling. The downside is that the SPD and SADB have to be mapped
> > into the netfilter tables. As the search inside the netfilter tables is
> > done in sequence the ordering of the rules for IPsec is very important.
> >
> It is interested. Did they discuss those topics on ordinary FreeSWAN ML or
> other ML?

The discussion took place / takes place on the ordinary FreeSWAN ML. But
to be honest, not very much is happening there. 

> 
> > This is what we have done in our code. As you might have seen, we don't
> > use the KLIPS interface for IPv6 but we have integrated IPSec into the
> > IPv6 networking stack via funtions pointers.
> >
> I read your codes. I think it is a royal road to IPsec for IPv6
> that we improve yours.
> By the way, why didn't you use crypto routines of International Kernel
> Patch(http://www.kerneli.org/) for encryption and getting hash.
> IMHO, it is available for IPsec.

The code basis was not written by us (IABG) but by Stefan Schlott. So he
made the decision what crypto library/code to use. I think one reason
was that kerneli.org is always some steps behind the current kernel and
he started with a 2.3.x and finally used the 2.4.0-test9. We just took
what was there and enhanced it with 3DES.

What comes to my mind while writing this: Wouldn't it be good to have
some kind of crypto provider interface so one can easily add crypto
algorithms? I know this is beyond IPSec for IPv6 but perhaps something
were kerneli.org might be interested, too.

> 
> > What we have taken from FreeSWAN is their PF_KEY socket interface, their
> > IKE daemon, and their parsing machinery to extract the information from
> > the PF_KEY messages. We have hooked us into this parsing machinery,
> > collect the information and then write this information into our own
> > SADB.
> >
> > What plans to you have for the integration of IPSec into IPv6 networking
> > stack. Perhaps we could use our code as a discussion basis. We really
> > want to see IPSec for IPv6 in LINUX!
> >
> Yes, we will implement IPsec with the similar way. So your code is useful for us.

Perhaps we could work together (design, testing)

Regards,

	Gerhard

> 
> Thank you for your informaiton,
> 
> --Kazunori Miyazawa


-- 
---------------------------------------------------
Gerhard Geßler

Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany

Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845

E-Mail: gessler@xxxxxxx