fast_ipsec(4) - NetBSD Manual Pages

FAST_IPSEC(4)           NetBSD Kernel Interfaces Manual          FAST_IPSEC(4)


NAME
Fast IPsec -- hardware-accelerated IP Security Protocols
SYNOPSIS
options FAST_IPSEC pseudo-device crypto
DESCRIPTION
IPsec is a set of protocols, ESP (for Encapsulating Security Payload) AH (for Authentication Header), and IPComp (for IP Payload Compression Pro- tocol) that provide security services for IP datagrams. Fast IPsec is an implementation of these protocols that uses the opencrypto(9) subsystem to carry out cryptographic operations. This means, in particular, that cryptographic hardware devices are employed whenever possible to optimize the performance of these protocols. In general, the Fast IPsec implementation is intended to be compatible with the KAME IPsec implementation. This documentation concentrates on differences from that software. The user should refer to ipsec(4) for basic information on setting up and using these protocols. System configuration requires the opencrypto(9) subsystem. When the Fast IPsec protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use sysctl(8).
DIAGNOSTICS
To be added.
SEE ALSO
ipsec(4), setkey(8), sysctl(8), opencrypto(9)
HISTORY
The protocols draw heavily on the OpenBSD implementation of the IPsec protocols. The policy management code is derived from the KAME implemen- tation found in their IPsec protocols. The Fast IPsec protocols are based on code which appeared in FreeBSD 4.7. The NetBSD version is a close copy of the FreeBSD original, and first appeared in NetBSD 2.0.
BUGS
There is presently no support for IPv6. Configuring Fast IPsec in con- junction with INET6 is explictly experimental and unsupported. At the time of writing, combining Fast IPsec and INET6 in a single kernel is believed to yield a working IPv6 stack, provided that no IPv6 traffic makes any use whatsoever of ipsec(4). Attempting to send or receive ipsec(4) IPv6 traffic to or from such a kernel may trigger kernel panics, or may expose the unprotected plaintext of IPv6 traffic which is config- ured to be secured via ipsec(4). Caveat emptor. The IPcomp protocol support does not work. Certain legacy authentication algorithms are not supported because of issues with the opencrypto(9) subsystem. This documentation is incomplete. NetBSD 3.0.1 April 25, 2004 NetBSD 3.0.1

Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.