Date: Wed, 27 Oct 2004 21:13:45 -0700 From: Bruce M Simpson <bms@spc.org> To: David Gilbert <dgilbert@dclg.ca> Cc: Mike Tancsa <mike@sentex.net> Subject: Re: IPSec on current. Message-ID: <20041028041345.GC772@empiric.icir.org> In-Reply-To: <16768.22876.926445.412412@canoe.dclg.ca> References: <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <m2fz3ztwct.wl@minion.local.neville-neil.com> <16768.22876.926445.412412@canoe.dclg.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 27, 2004 at 10:28:44PM -0400, David Gilbert wrote: > George> Just for the record, yes, FAST_IPSEC does not support INET6. > > Not supporting IPv6 is less of a showstopper than not supporting > FAST_IPSEC as the later is required (for isntance) BGP. I have a whole load of changes to bring in itojun's stuff from NetBSD which makes TCP_SIGNATURE work with KAME IPSEC, and also performs input verification. Unfortunately, due to the way this works, this is all or nothing and needs some rethinking to have the correct granularity. But it's definitely a step in the right direction. In future it'll probably require that applications using TCP_SIGNATURE be able to speak PF_KEY. This stuff is still quite a bit far off from being committed to -CURRENT, though, and I probably won't have a chance to finish it for some time. FAST_IPSEC not jibing with INET6 is a separate issue, but from what I understand, it's quite possible, again, lack of committer time/resource. Regards, BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041028041345.GC772>