Single IP host and IPsec tunnel mode experience

Jacques A. Vidrine nectar at FreeBSD.org
Mon Apr 21 06:43:14 PDT 2003 

On Sun, Apr 20, 2003 at 06:00:25PM -0700, Crist J. Clark wrote:
> It's easy to see what's going on in ESP when you define the encryption
> algorithm as the NULL algorithm. 

Ah, good idea.  Why didn't I think of that? :-)

> Although I admit it took me a while
> to figure out that NULL encryption in the setkey(8) syntax is the
> "simple" algorithm.
> 
> In fact, would anyone object to,
> 
> Index: setkey.8
> ===================================================================
> RCS file: /export/freebsd/ncvs/src/usr.sbin/setkey/setkey.8,v
> retrieving revision 1.24
> diff -u -r1.24 setkey.8
> --- setkey.8    1 Jan 2003 18:49:03 -0000       1.24
> +++ setkey.8    21 Apr 2003 00:41:50 -0000
> @@ -563,7 +563,7 @@
>  algorithm      keylen (bits)   comment
>  des-cbc                64              esp-old: rfc1829, esp: rfc2405
>  3des-cbc       192             rfc2451
> -simple         0 to 2048       rfc2410
> +null-enc       0 to 2048       rfc2410
>  blowfish-cbc   40 to 448       rfc2451
>  cast128-cbc    40 to 128       rfc2451
>  des-deriv      64              ipsec-ciph-des-derived-01 (expired)
> Index: token.l
> ===================================================================
> RCS file: /export/freebsd/ncvs/src/usr.sbin/setkey/token.l,v
> retrieving revision 1.5
> diff -u -r1.5 token.l
> --- token.l     11 Jun 2001 12:39:28 -0000      1.5
> +++ token.l     21 Apr 2003 00:39:41 -0000
> @@ -176,6 +176,7 @@
>  {hyphen}E      { PREPROC; return(F_ENC); }
>  des-cbc                { PREPROC; yylval.num = SADB_EALG_DESCBC; return(ALG_ENC); }
>  3des-cbc       { PREPROC; yylval.num = SADB_EALG_3DESCBC; return(ALG_ENC); }
> +null-enc       { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
>  simple         { PREPROC; yylval.num = SADB_EALG_NULL; return(ALG_ENC); }
>  blowfish-cbc   { PREPROC; yylval.num = SADB_X_EALG_BLOWFISHCBC; return(ALG_ENC); }
>  cast128-cbc    { PREPROC; yylval.num = SADB_X_EALG_CAST128CBC; return(ALG_ENC); }
> 
> The KAME stuff isn't on a vendor branch, not in a contrib/, and not
> listed in MAINTAINERS. I guess it's OK to make minor changes/bug fixes
> locally? I did file a PR with KAME for this too.

Well I wouldn't mind.  FWIW, racoon calls it `null_enc' (rather than
`simple').  ume & sumikawa appear to be the best folks to treat as
maintainers of setkey(8), if anyone.

Cheers,
-- 
Jacques A. Vidrine <nectar at celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine at verio.net     .  nectar at FreeBSD.org  .          nectar at kth.se

More information about the freebsd-hackers mailing list