Subject: Re: hardware crypto (fwd)
To: None <itojun@iijlab.net>
From: Angelos D. Keromytis <angelos@dsl.cis.upenn.edu>
List: tech-security
Date: 04/12/2000 13:04:26
by mail.netbsd.org with SMTP; 12 Apr 2000 17:11:53 -0000
by adk.gr (8.9.3/8.9.3) with ESMTP id NAA07717;
Wed, 12 Apr 2000 13:04:26 -0400 (EDT)
Message-Id: <200004121704.NAA07717@adk.gr>
To: itojun@iijlab.net
Cc: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>,
hubert.feyrer@informatik.fh-regensburg.de, tech-security@netbsd.org
Subject: Re: hardware crypto (fwd)
In-reply-to: Your message of "Thu, 13 Apr 2000 00:31:14 +0900."
<7494.955553474@coconut.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 12 Apr 2000 13:04:26 -0400
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
> I'll definitely need to look at openbsd. after quick browse,
> there's one major difference in kame-ipsec and openbsd-ipsec code
> orientation. in openbsd-ipsec a packet will visit ip_input or
> ip_output more than once. kame-ipsec tries to avoid it.
> this makes some difference in creating ipsec processing queue.
On output, only twice; the second time a flag will be set that prevents
IPsec processing to happen again (to avoid loops). You're correct about
input.
-Angelos