[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT-T?
 Date:  Tue, 17 Aug 2004 00:52:11 -0700 (PDT)
On Mon, 16 Aug 2004, Brian wrote:

> Shows how much I know about FreeBSD. :)  I assumed the KAME stuff was all
> that was to be had (which I further assume is the IPv6 code). Since
> m0n0wall supports the hifn stuff, I take it the HW crypto branch is whats
> currently used?

Yes, m0n0wall uses FAST_IPSEC, which is actually a port of the IPsec code
from OpenBSD, which has a whole "crypto framework" to support various
kinds of accelerator hardware.  I believe the problem is that the port
only got as far as making it work for IPv4, which is why it doesn't handle
IPv6 (in FreeBSD; I imagine it does in OpenBSD).  And there are too many
conflicts to have both kinds included at once.

I believe OpenBSD's IPsec code was originally derived from KAME, which is
why one sees lots of similarities between the two sets of sources in
FreeBSD.  In other words, the lineage is:

	KAME----->OpenBSD------>FreeBSD FAST_IPSEC
	     \----------------->FreeBSD IPSEC

If you're looking at sources, the KAME version is in sys/netkey, while the
FAST version is in sys/netipsec (at least for the key-related routines).

					Fred Wright