Re: reverse processing order: NAT, IPsec ?

To: tech-net%NetBSD.org@localhost
Subject: Re: reverse processing order: NAT, IPsec ?
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Fri, 12 Jun 2009 15:35:29 -0400

On Fri, Jun 12, 2009 at 02:18:41PM -0500, David Young wrote:
> <soapbox>
> These difficulties sound like a symptom of the design flaw in NetBSD's
> IPsec that we should not repeat: hard-coding hooks in the IP input
> and output routines.  A design that re-used existing abstractions
> to provide building blocks to the operator---for example, an IPsec
> pseudo-interface where the IPsec processing occurs---would be more
> versatile and transparent, and it would spare us some complexity in the
> IP code.

OpenS/WAN did it this way on Linux.  It came with its own whole set of
nastinesses, notably a huge profusion of interfaces on any kind of busy
IPsec gateway.  I'm not sure it's really much better.

Thor

Follow-Ups:
- Re: reverse processing order: NAT, IPsec ?
  - From: David Young

References:
- reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: David Young

Prev by Date: Re: reverse processing order: NAT, IPsec ?
Next by Date: Re: reverse processing order: NAT, IPsec ?
Previous by Thread: Re: reverse processing order: NAT, IPsec ?
Next by Thread: Re: reverse processing order: NAT, IPsec ?
Indexes:

Home | Main Index | Thread Index | Old Index