[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Implementation

To: Ipsec <ipsec@lists.tislabs.com>
Subject: Re: IPSec Implementation
From: Feng Ye <f_ye@yahoo.com>
Date: Tue, 20 May 2003 09:29:48 -0700 (PDT)
Cc: George Hadjichristofi <ghadjich@vt.edu>
In-Reply-To: <NGBBJKFPKLLPDJAPGACCAEGFDHAA.ghadjich@vt.edu>
Sender: owner-ipsec@lists.tislabs.com

Hey George,

I was doing the same thing a while ago, I looked into
Kame, and briefly went through the code, seems the
Kame is ok to understand, anyway they are all based on
the standard (I mean, the IKE part).
I think there're some difference between the open
source implementations:
 1.FreeS/wan: they do not support those they think are
unsecure, like single DES, DH group 1, agressive mode,
etc. Besides, freeswan is not used in VPNC testing.
 2.openbsd (isakmpd): they have hardware support (like
Hifn chips), they do not support multiple ESP/AH
headers as required by an iterated VPN cloud. Model
IPsec tunnel as pseudo interfaces.
 3.kame (racoon): do not model IPsec tunnel as pseudo
interfaces (maybe a good thing). Does not implement
byte lifetime for both phase 1 and phase 2.

As for the documentation, Kame has some documents in
Japanese. The best way still is to go over the code, I
think the open source documentation is not sufficient
enough.

As for the modification, I only looked into Kame,
which is based on PF_KEY socket implementation, so if
your system is socket based it should be easier.

I am still very interested in this, if you have any
result, can you let me know?

Regards,
Feng Ye

--- George Hadjichristofi <ghadjich@vt.edu> wrote:
> Hi,
> 
> I have a question related to the different
> implementations of IPSec.
> 
> I am currently looking into the FreeBSD, FreeSWAN
> Linux, and the one that
> comes with the new version of linux.
> 
> Does anyone know the basic differences between these
> implementations?
> 
> Which one has the best documentation?
> Which one is "easiest" to understand and modify?
> 
> Thank you,
> 
> George
> 
> 
> 
> 
> *************************************************
> George C. Hadjichristofi
> Graduate Student,Computer Engineering Department
> Virginia Tech,Blacksburg,VA 24061,U.S.A
> TEL:(540)-951-8936
> *************************************************
> 

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

References:
- IPSec Implementation
  - From: "George Hadjichristofi" <ghadjich@vt.edu>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ikev2-algorithms-00.txt
Next by Date: v7 nits
Prev by thread: IPSec Implementation
Next by thread: Re: IPSec Implementation
Index(es):
- Date
- Thread