[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec kernel api

To: Niels Provos <provos@citi.umich.edu>
Subject: Re: ipsec kernel api
From: Craig Metz <cmetz@inner.net>
Date: Sat, 20 Mar 1999 13:15:23 -0500
Cc: jetienne@ifhamy.insa-lyon.fr, tech@openbsd.org

In message <199903141917.MAA09532@openbsd.cs.colorado.edu>, you write:
>In message <19990314094753.A315@long-haul.net>, jetienne@ifhamy.insa-lyon.fr w
>>any documentations are available about the kernel api used for ipsec ?
>>is it a proprietary api or there is a specification ? if so where can i 
>>find it ?
>The kernel API has just been changed to PFKEYv2. Its specification is
>described in RFC 2367. There is also a setsockopt interface along the
>lines of draft-mcdonald-simple-ipsec-api.

  PF_KEYv2 is an API for security association management (i.e., key management)
software to communicate with security association consumers (i.e., the kernel's
IPsec implementation). It is NOT an IPsec API for applications, which is what I
believe the original poster is asking for.

  My read of the current OpenBSD code, which could well be wrong, is that there
basically is no application IPsec API; only configured tunnels or policies are
supported. I've been working a lot on an IPsec (et al.) API for sockets that
would be appropriate for applications, and there is some code in the last NRL
release and will be a lot more and better in the next one. One approach (that
I'd personally like ;) would be for a future version of OpenBSD to integrate
the results of that work. It's probably way too late for 2.5.

									-Craig

Follow-Ups:
- Re: ipsec kernel api
  - From: jetienne@ifhamy.insa-lyon.fr

References:
- Re: ipsec kernel api
  - From: Niels Provos <provos@citi.umich.edu>

Prev by Date: KVM panic
Next by Date: Re: ipsec kernel api
Prev by thread: Re: ipsec kernel api
Next by thread: Re: ipsec kernel api
Index(es):
- Date
- Thread