Lines Matching full:ipsec
69 4. IPsec
75 4.6 ECN consideration on IPsec tunnels
77 4.8 Operations with IPsec tunnel mode
78 4.8.1 RFC2401 IPsec tunnel mode approach
79 4.8.2 draft-touch-ipsec-vpn approach
937 IPsec does not work on jumbograms. This is due to some specification twists
977 Because of this, if you receive IPsec-over-IPv4 packet with massive
978 number of IPsec headers, kernel stack may blow up. IPsec-over-IPv6 is okay.
1245 which was derived from NRL IPv6/IPsec stack. We guess it supports IPv4 mapped
1266 which was derived from NRL IPv6/IPsec stack.
1354 node to be able to construct IPv4 IPsec headers. If a node knows how to
1355 construct IPv4 IPsec headers, that is not an IPv6-only node, it is a dual-stack
1777 4. IPsec
1779 IPsec is implemented as the following three components.
1785 Note that KAME/OpenBSD does NOT include support for KAME IPsec code,
1786 as OpenBSD team has their home-brew IPsec stack and they have no plan
1787 to replace it. IPv6 support for IPsec is, therefore, lacking on KAME/OpenBSD.
1789 http://www.netbsd.org/Documentation/network/ipsec/ has more information
1811 to require keys (like ping -P 'out ipsec esp/transport//use').
1829 IPsec module is implemented as "hooks" to the standard IPv4/IPv6
1851 - You cannot run routing daemon across IPsec tunnel, since we do not model
1852 IPsec tunnel as pseudo interfaces.
1855 - Path MTU discovery does not work across IPv6 IPsec tunnel gateway due to
1872 random length padding. By setting net.inet.ipsec.esp_randpad (or
1887 The protocol design of IPComp is very similar to IPsec, though it was
1888 defined separately from IPsec itself.
1891 - IPComp is treated as part of IPsec protocol suite, and SPI and
1921 see ipsec wg mailing list discussion in Jan 2000 for details.
1925 The IPsec code in the kernel conforms (or, tries to conform) to the
1927 "old IPsec" specification documented in rfc182[5-9].txt
1928 "new IPsec" specification documented in:
1936 old IPsec AH
1943 old IPsec ESP
1946 new IPsec AH
1952 HMAC SHA2-256 with 96bit crypto checksum (draft-ietf-ipsec-ciph-sha-256-00.txt)
1957 new IPsec ESP
1960 (draft-ietf-ipsec-ciph-des-derived-01.txt, draft expired)
1968 each of the above can be combined with new IPsec AH schemes for
1974 old IPsec AH
1983 4.6 ECN consideration on IPsec tunnels
1985 KAME IPsec implements ECN-friendly IPsec tunnel, described in
1986 draft-ietf-ipsec-ecn-02.txt.
1987 Normal IPsec tunnel is described in RFC2401. On encapsulation,
1993 To make IPsec tunnel ECN-friendly, we should modify encapsulation
1995 draft-ietf-ipsec-ecn-02.txt, chapter 3.3.
1997 KAME IPsec tunnel implementation can give you three behaviors, by setting
1998 net.inet.ipsec.ecn (or net.inet6.ipsec6.ecn) to some value:
2003 (draft-ietf-ipsec-ecn-02 wants per-SA configuration, but it looks too much
2023 - if both IPsec tunnel endpoint are capable of ECN-friendly behavior,
2031 draft-ietf-ipsec-ecn-02.txt
2039 IPsec, IPComp (in kernel) and IKE (in userland as "racoon") has been tested
2041 with many other implementations well. Also, KAME IPsec has quite wide
2042 coverage for IPsec crypto algorithms documented in RFC (we do not cover
2045 Here are (some of) platforms we have tested IPsec/IKE interoperability
2055 NAI PGPnet, NEC IX5000, NIST (linux IPsec + plutoplus),
2070 VPNC (vpnc.org) provides IPsec conformance tests, using KAME and OpenBSD
2071 IPsec/IKE implementations. Their test results are available at
2073 about which implementation interoperates with KAME IPsec/IKE implementation.
2075 4.8 Operations with IPsec tunnel mode
2077 First of all, IPsec tunnel is a very hairy thing. It seems to do a neat thing
2081 RFC2401 defines IPsec tunnel mode, within the context of IPsec. RFC2401
2085 IPsec tunnel mode as filters - not as pseudo interfaces.
2087 There are some people who are trying to separate IPsec "tunnel mode" from
2088 the IPsec itself. They would like to implement IPsec transport mode only,
2090 in draft-touch-ipsec-vpn-01.txt. However, if you really define pseudo
2091 interfaces separately from IPsec, IKE daemons would need to negotiate
2093 really mix RFC2401-based interpretation and draft-touch-ipsec-vpn-01.txt
2098 - RFC2401 IPsec tunnel mode approach (4.8.1)
2099 - draft-touch-ipsec-vpn approach (4.8.2)
2104 RFC2401 IPsec tunnel mode (filter-like) approach
2106 CON: cannot run routing daemons across IPsec tunnels
2110 draft-touch-ipsec-vpn (transportmode + Pseudo-interface) approach
2111 PRO: run routing daemons across IPsec tunnels
2113 IPsec tunnel pseudo devices
2119 CON: cannot negotiate IKE with other IPsec tunnel-mode devices
2125 - use draft-touch-ipsec-vpn if you have the control over the other end.
2127 - if the other end is normal IPsec device with RFC2401 implementation,
2130 and there's no plan to use IPsec gateway itself as an originating device.
2132 4.8.1 RFC2401 IPsec tunnel mode approach
2134 To configure your device as RFC2401 IPsec tunnel mode endpoint, you will
2149 spdadd A B any -P out ipsec esp/tunnel/C-D/use;
2150 spdadd B A any -P in ipsec esp/tunnel/D-C/use;
2167 - When you want to run routing protocols on top of the IPsec tunnel, it is
2168 not possible. As there is no pseudo device that identifies the IPsec tunnel,
2172 4.8.2 draft-touch-ipsec-vpn approach
2175 IPsec transport mode SAs.
2180 spdadd C D any -P out ipsec esp/transport//use;
2181 spdadd D C any -P in ipsec esp/transport//use;
2192 the other end is using draft-touch-ipsec-vpn approach too. Since racoon(8)
2194 negotiating IPsec transport-mode SAs with the other end, not tunnel-mode SAs.
2232 IPsec, and/or 2292bis API, needs further study.