Re: Announcing X-Bone VPN/overlay software release

[Joe Touch <touch@ISI.EDU>]

Sandy Harris wrote:
> 
> Joe Touch wrote:
...
> > The X-Bone system for automated deployment of VPN / overlay networks
> > is now publicly available. ...
> 
> Great.
> 
> > The X-Bone is available for the following operating systems:
> >
> >       - FreeBSD
> >               CAIRN 2.5, 3.*, 3.* + KAME IPsec patches
> >
> >       - Linux RedHat
> >               6.0, 6.0 + NIST Cerberus IPsec patches, 6.1
> 
> Why did you use the export-restricted NIST stuff rather than the
> more widely deployable FreeS/WAN implementation of IPSEC for Linux?

The X-Bone uses transport-mode IPSEC on IPIP tunnel headers, as further
described in draft-touch-ipsec-vpn-00.txt. This requires that the SA be
bound to a virtual interface (that of the tunnel). The FreeS/WAN IPSEC
requires that SA's be bound to real, physical interfaces:

>From the current FreeS/WAN man pages:

	ipsec tncfg - associate IPSEC virtual interface with real interface  
	...
	Tncfg attaches/detaches IPSEC virtual interfaces to/from 
	real interfaces, through which packets will be forwarded 
	once processed by IPSEC. 
	...
	Virtual interfaces typically have names like ipsec0, while real 
	interfaces typically have names like eth0 or ppp0.  

The NIST implementation supports SAs binding to virtual interfaces, and
also provides key management interfaces very similar to that of our
primary platform, FreeBSD/KAME. It was a much more expedient choice for
our proof-of-concept Linux port.

Joe

---

References:

• Announcing X-Bone VPN/overlay software release
• From: Joe Touch <touch@ISI.EDU>
• Re: Announcing X-Bone VPN/overlay software release
• From: Sandy Harris <sandy@storm.ca>

---

• Prev by Date: Fw: Q: What is advantage of tunnel mode between host to host scenrio?
• Next by Date: Re: IKE Public Key Encryption
• Prev by thread: Re: Announcing X-Bone VPN/overlay software release
• Next by thread: IKE Public Key Encryption
• Index(es):
  • Main
  • Thread