From owner-freebsd-net@FreeBSD.ORG Mon Jul 21 15:42:34 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FE101065670 for ; Mon, 21 Jul 2008 15:42:34 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3445F8FC0A for ; Mon, 21 Jul 2008 15:42:34 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from trouble.errno.com (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id m6LFgVSi022159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Jul 2008 08:42:34 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <4884AE67.4020204@freebsd.org> Date: Mon, 21 Jul 2008 08:42:31 -0700 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20071125) MIME-Version: 1.0 To: VANHULLEBUS Yvan References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> <20080721085325.B57089@maildrop.int.zabbadoz.net> <20080721142657.GB24677@zen.inc> In-Reply-To: <20080721142657.GB24677@zen.inc> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-sonic.net-Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org, Larry Baird Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 15:42:34 -0000 VANHULLEBUS Yvan wrote: > [Larry, I kept you in an explicit CC, even if I guess you suscribed to > the list] > > On Mon, Jul 21, 2008 at 09:26:15AM +0000, Bjoern A. Zeeb wrote: > >> On Wed, 16 Jul 2008, Sam Leffler wrote: >> >> Hi, >> > > Hi. > > > [...] > >> My main concern at the moment is the API (pfkey stuff) to userland as >> Yvan had stated in <20080626075307.GA1401@zen.inc>. >> > > It is also one of my main concerns actually. > > > >> I know that at the moment there seems to be one public (pseudo) reference >> implementation this all works together but there might be/are other >> people not using libipsec from ipsec-tools. >> > > Well, people who use another libipsec are expected to "just" not see > NAT-T extensions. > > The only "real issue" is that, actually, NAT-T ports are sent though > sockaddr structs, when RFC 2367 says that zeroing ports MUST be done > (section 2.3.3). > > > There is already an open ticket on ipsec-tools side to cleanup that > part of the code on userland's size of PFKey interface, and I hope > it will be done for 0.8.0 release (sorry, no release date for now). > > As soon as I'll have a working patch on userland, I'll do the work on > FreeBSD's kernel side. I hope everything will be done within a few > weeks, but I already know that we'll have backward compatibility > issues with various kernels (ipsec-tools runs at least on FreeBSD, > NetBSD, Linux and MacOSX). > With regard to changing the kernel API. First, this is HEAD and api's can change. I intentionally have said nothing about MFC and didn't touch user code. Getting the support into the kernel enables use and testing which was the point of getting the logjam broken so full NAT-T support can ship w/ 8.0. I committed to get everything necessary in the tree in time for 8.0 but now that you have direct access to freebsd's repo I think that's less important. Sam