FAST_IPSEC(4) |
NetBSD Kernel Interfaces Manual |
FAST_IPSEC(4) |
NAME
fast_ipsec — Fast IPsec hardware-accelerated IP Security Protocols
SYNOPSIS
options FAST_IPSEC
options IPSEC_DEBUG
options IPSEC_NAT_T
pseudo-device crypto
DESCRIPTION
IPsec is a set of protocols, ESP (for Encapsulating Security Payload) AH (for Authentication Header), and IPComp (for IP Payload Compression Protocol) that provide security services for IP datagrams. Fast IPsec is an implementation of these protocols that uses the
opencrypto(9) subsystem to carry out cryptographic operations. This means, in particular, that cryptographic hardware devices are employed whenever possible to optimize the performance of these protocols.
In general, the Fast IPsec implementation is intended to be compatible with the KAME IPsec implementation. This documentation concentrates on differences from that software. The user should refer to ipsec(4) for basic information on setting up and using these protocols.
System configuration requires the opencrypto(9) subsystem. When the Fast IPsec protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use sysctl(8).
DIAGNOSTICS
To be added.
HISTORY
The protocols draw heavily on the
OpenBSD implementation of the IPsec protocols. The policy management code is derived from the KAME implementation found in their IPsec protocols. The Fast IPsec protocols are based on code which appeared in
FreeBSD 4.7. The
NetBSD version is a close copy of the
FreeBSD original, and first appeared in
NetBSD 2.0.
Support for IPv6 and IPcomp protocols has been added in NetBSD 4.0.
Support for IPSEC_NAT_T (Network Address Translator Traversal as described in RFCs 3947 and 3948) has been added in NetBSD 5.0.
BUGS
There still are some issues in the IPv6 support. In particular FAST_IPSEC does not protect packets with IPv6 extension headers.
Certain legacy authentication algorithms are not supported because of issues with the opencrypto(9) subsystem.
This documentation is incomplete.