[src/trunk]: src Make FAST_IPSEC the default IPSEC implementation which is built

[drochner <drochner%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a2dd3dc3fdbb
branches:  trunk
changeset: 772592:a2dd3dc3fdbb
user:      drochner <drochner%NetBSD.org@localhost>
date:      Mon Jan 09 15:16:30 2012 +0000

description:
Make FAST_IPSEC the default IPSEC implementation which is built
into the kernel if the "IPSEC" kernel option is given.
The old implementation is still available as KAME_IPSEC.
Do some minimal manpage adjustment -- kame_ipsec(4) is a copy
of the old ipsec(4) and the latter is now a copy of fast_ipsec(4).

diffstat:

 distrib/sets/lists/man/mi   |    4 +-
 share/man/man4/Makefile     |    4 +-
 share/man/man4/fast_ipsec.4 |    7 +-
 share/man/man4/ipsec.4      |  464 +++++++++----------------------------------
 share/man/man4/kame_ipsec.4 |  394 +++++++++++++++++++++++++++++++++++++
 share/man/man4/options.4    |   18 +-
 sys/netinet6/files.ipsec    |    3 +-
 sys/netipsec/files.netipsec |    5 +-
 8 files changed, 517 insertions(+), 382 deletions(-)

diffs (truncated from 1039 to 300 lines):

diff -r 31f0266034f6 -r a2dd3dc3fdbb distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Mon Jan 09 15:15:40 2012 +0000
+++ b/distrib/sets/lists/man/mi Mon Jan 09 15:16:30 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1363 2012/01/04 16:25:15 yamt Exp $
+# $NetBSD: mi,v 1.1364 2012/01/09 15:16:30 drochner Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -1236,6 +1236,7 @@
 ./usr/share/man/cat4/jme.0                     man-sys-catman          .cat
 ./usr/share/man/cat4/jmide.0                   man-sys-catman          .cat
 ./usr/share/man/cat4/joy.0                     man-sys-catman          .cat
+./usr/share/man/cat4/kame_ipsec.0              man-sys-catman          .cat
 ./usr/share/man/cat4/kloader.0                 man-sys-catman          .cat
 ./usr/share/man/cat4/kse.0                     man-sys-catman          .cat
 ./usr/share/man/cat4/ksyms.0                   man-sys-catman          .cat
@@ -6719,6 +6720,7 @@
 ./usr/share/man/man4/jme.4                     man-sys-man             .man
 ./usr/share/man/man4/jmide.4                   man-sys-man             .man
 ./usr/share/man/man4/joy.4                     man-sys-man             .man
+./usr/share/man/man4/kame_ipsec.4              man-sys-man             .man
 ./usr/share/man/man4/kloader.4                 man-sys-man             .man
 ./usr/share/man/man4/kse.4                     man-sys-man             .man
 ./usr/share/man/man4/ksyms.4                   man-sys-man             .man
diff -r 31f0266034f6 -r a2dd3dc3fdbb share/man/man4/Makefile
--- a/share/man/man4/Makefile   Mon Jan 09 15:15:40 2012 +0000
+++ b/share/man/man4/Makefile   Mon Jan 09 15:16:30 2012 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.576 2012/01/04 16:25:16 yamt Exp $
+#      $NetBSD: Makefile,v 1.577 2012/01/09 15:16:31 drochner Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/18/93
 
 MAN=   aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
@@ -35,7 +35,7 @@
        ioasic.4 ioat.4 iop.4 iophy.4 iopsp.4 ip.4 ipkdb.4 ipmi.4 ipw.4 \
        irmce.4 iso.4 isp.4 isv.4 itesio.4 iteide.4 iwi.4 iwn.4 ixg.4 ixpide.4 \
        jme.4 jmide.4 joy.4 \
-       kloader.4 kse.4 ksyms.4 kttcp.4 \
+       kame_ipsec.4 kloader.4 kse.4 ksyms.4 kttcp.4 \
        lc.4 ld.4 lii.4 lo.4 lxtphy.4 \
        mainbus.4 makphy.4 mbe.4 mca.4 mcclock.4 md.4 mfb.4 mfi.4 mhzc.4 \
        midi.4 mii.4 mk48txx.4 mlx.4 mly.4 mpls.4 mpt.4 mpu.4 mtd.4 \
diff -r 31f0266034f6 -r a2dd3dc3fdbb share/man/man4/fast_ipsec.4
--- a/share/man/man4/fast_ipsec.4       Mon Jan 09 15:15:40 2012 +0000
+++ b/share/man/man4/fast_ipsec.4       Mon Jan 09 15:16:30 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: fast_ipsec.4,v 1.9 2010/09/21 13:47:41 degroote Exp $
+.\"    $NetBSD: fast_ipsec.4,v 1.10 2012/01/09 15:16:31 drochner Exp $
 .\"    $FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
 .\"
 .\" Copyright (c) 2004
@@ -28,17 +28,16 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 .\" THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 24, 2007
+.Dd January 9, 2012
 .Dt FAST_IPSEC 4
 .Os
 .Sh NAME
 .Nm fast_ipsec
 .Nd Fast IPsec hardware-accelerated IP Security Protocols
 .Sh SYNOPSIS
-.Cd "options FAST_IPSEC"
+.Cd "options IPSEC"
 .Cd "options IPSEC_DEBUG"
 .Cd "options IPSEC_NAT_T"
-.Cd "pseudo-device crypto"
 .Sh DESCRIPTION
 .Tn IPsec
 is a set of protocols,
diff -r 31f0266034f6 -r a2dd3dc3fdbb share/man/man4/ipsec.4
--- a/share/man/man4/ipsec.4    Mon Jan 09 15:15:40 2012 +0000
+++ b/share/man/man4/ipsec.4    Mon Jan 09 15:16:30 2012 +0000
@@ -1,8 +1,11 @@
-.\"    $NetBSD: ipsec.4,v 1.31 2009/05/17 02:22:43 fair Exp $
-.\"    $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
+.\"    $NetBSD: ipsec.4,v 1.32 2012/01/09 15:16:31 drochner Exp $
+.\"    $FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
 .\"
-.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-.\" All rights reserved.
+.\" Copyright (c) 2004
+.\"    Jonathan Stone <jonathan%dsg.stanford.edu@localhost>. All rights reserved.
+.\"
+.\" Copyright (c) 2003
+.\"    Sam Leffler <sam%errno.com@localhost>. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -12,383 +15,112 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\"    may be used to endorse or promote products derived from this software
-.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" THIS SOFTWARE IS PROVIDED BY Sam Leffler AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+.\" THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 16, 2009
-.Dt IPSEC 4
+.Dd January 9, 2012
+.Dt FAST_IPSEC 4
 .Os
 .Sh NAME
-.Nm ipsec
-.Nd IP security protocol
+.Nm fast_ipsec
+.Nd Fast IPsec hardware-accelerated IP Security Protocols
 .Sh SYNOPSIS
-.In sys/types.h
-.In netinet/in.h
-.In netinet6/ipsec.h
-.Pp
-.Cd options IPSEC
-.Cd options IPSEC_ESP
-.Cd options IPSEC_NAT_T
-.Cd options IPSEC_DEBUG
+.Cd "options IPSEC"
+.Cd "options IPSEC_DEBUG"
+.Cd "options IPSEC_NAT_T"
 .Sh DESCRIPTION
-.Nm
-is a security protocol in Internet Protocol (IP) layer.
-.Nm
-is defined for both IPv4 and IPv6
-.Po
-.Xr inet 4
-and
-.Xr inet6 4
-.Pc .
-.Nm
-consists of two sub-protocols:
-.Pp
-.Bl -hang
-.It Em Encapsulated Security Payload Pq ESP
-protects IP payload from wire-tapping (interception) by encrypting it with
-secret key cryptography algorithms.
-.It Em Authentication Header Pq AH
-guarantees integrity of IP packet
-and protects it from intermediate alteration or impersonation,
-by attaching cryptographic checksum computed by one-way hash functions.
-.El
-.Pp
-.Nm
-has two operation modes:
-.Pp
-.Bl -hang
-.It Em Transport mode
-is for protecting peer-to-peer communication between end nodes.
-.It Em Tunnel mode
-includes IP-in-IP encapsulation operation
-and is designed for security gateways, as in Virtual Private Network
-.Pq Tn VPN
-configurations.
-.El
-.Pp
-The following kernel options are available:
-.Bl -ohang
-.It Cd options IPSEC
-Includes support for the
 .Tn IPsec
-protocol.
-.Em IPSEC
-will enable
-secret key management part,
-policy management part,
-.Tn AH
-and
-.Tn IPComp .
-Kernel binary will not be subject to export control in most of countries,
-even if compiled with
-.Em IPSEC .
-For example, it should be okay to export it from the United States of America.
-.Em INET6
-and
-.Em IPSEC
-are orthogonal so you can get IPv4-only kernel with IPsec support,
-IPv4/v6 dual support kernel without IPsec, and so forth.
-This option requires
-.Em INET
-at this moment, but it should not.
-.It Cd options IPSEC_DEBUG
-Enables debugging code in
-.Tn IPsec
-stack.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_ESP
-Includes support for
-.Tn IPsec
+is a set of protocols,
 .Tn ESP
-protocol.
-.Em IPSEC_ESP
-will enable source code that is subject to export control in some countries
-.Pq including the United States ,
-and compiled kernel binary will be subject to certain restriction.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_NAT_T
-Includes support for
-.Tn IPsec
-Network Address Translator Traversal (NAT-T), as described in RFCs 3947
-and 3948.
-This feature might be patent-encumbered in some countries.
-This option assumes
-.Em IPSEC
-and
-.Em IPSEC_ESP .
-.El
-.\"
-.Ss Kernel interface
-.Nm
-is controlled by key management engine and policy engine,
-in the operating system kernel.
-.Pp
-Key management engine can be accessed from the userland by using
-.Dv PF_KEY
-sockets.
-The
-.Dv PF_KEY
-socket API is defined in RFC2367.
-.Pp
-Policy engine can be controlled by extended part of
-.Dv PF_KEY
-API,
-.Xr setsockopt 2
-operations, and
-.Xr sysctl 3
-interface.
-The kernel implements
-extended version of
-.Dv PF_KEY
-interface, and allows you to define IPsec policy like per-packet filters.
-.Xr setsockopt 2
-interface is used to define per-socket behavior, and
-.Xr sysctl 3
-interface is used to define host-wide default behavior.
-.Pp
-The kernel code does not implement dynamic encryption key exchange protocol
-like IKE
-.Pq Internet Key Exchange .
-That should be implemented as userland programs
-.Pq usually as daemons ,
-by using the above described APIs.
-.\"
-.Ss Policy management
-The kernel implements experimental policy management code.
-You can manage the IPsec policy in two ways.
-One is to configure per-socket policy using
-.Xr setsockopt 2 .
-The other is to configure kernel packet filter-based policy using
-.Dv PF_KEY
-interface, via
-.Xr setkey 8 .
-In both cases, IPsec policy must be specified with syntax described in
-.Xr ipsec_set_policy 3 .
-.Pp
-With
-.Xr setsockopt 2 ,
-you can define IPsec policy in per-socket basis.
-You can enforce particular IPsec policy onto packets that go through
-particular socket.
-.Pp
-With
-.Xr setkey 8
-you can define IPsec policy against packets,
-using sort of packet filtering rule.
-Refer to
-.Xr setkey 8
-on how to use it.
-.Pp
-In the latter case,
-.Dq Li default
-policy is allowed for use with
-.Xr setkey 8 .
-By configuring policy to
-.Li default ,