Subject: Re: IPSEC anyone?
To: Erik E. Fair <fair@clock.org>
From: Matt Thomas <matt@3am-software.com>
List: current-users
Date: 03/16/1998 10:01:43
At 10:32 PM 3/14/98 , Erik E. Fair wrote:
>Which key management scheme is that code using? Photouris, SKIP, or
>ISAKMP/Oakley?
ISAKMP/Oakley definitely. Note that the currently example
isakmp daemons are pre-shared secrets only.
I've begun adding support for IPsec to my netinet sources.
I'm using "options IPSEC" for my changes.
[The following should go tech-kern or tech-net ...]
For IPsec I need to add few things to the session structure (to
maintain one's default identity) and the proc structure (for
policy). For the latter, I'd like a generic list to the proc
structure which would be
struct proc_extension {
LIST_ENTRY(proc_extension) pext_qentry;
int (*pext_handler)(struct proc *p, int why,
struct proc_extension *pext);
}
#define PEXT_FORK 1
#define PEXT_VFORK 2
#define PEXT_EXIT 3
#define PEXT_EXEC 4
handler is called on fork, vfork, exit, or exec with current/new
proc and the pext of the current/old process. On fork/vfork it
is up to the handler to link/create/whatever the pext to the new
process if the inheritance is desired. If the routine returns
a non-zero (only allowed for fork/vfork), the fork is aborted
(the handler would be called before the address space is cloned
to reduce overhead in this case).
It would be nice to have a few extra syscalls (but one can get
around that with a psuedo device, a sysctl hack, or new address
family).
Note that many of the changes needed for IPsec are also needed
for IPv6.
--
Matt Thomas Internet: matt@3am-software.com
3am Software Foundry WWW URL: http://www.3am-software.com/bio/matt/
Nashua, NH Disclaimer: I disavow all knowledge of this message