[Patch for review] Experimental NAT-T + PFKey cleanup

[VANHULLEBUS Yvan]

[same mail sent both on ipsec-tools-devel and freebsd-net, please use
respective MLs for potential issues on each side]

Hi all.

Here is a beta patch which cleans the way PFKey exchanges NAT-T ports
between kernel and userland, available at:
http://people.freebsd.org/~vanhu/NAT-T/experimental/

patch-FreeBSD-TRUNK-NATT-pfkey-clean-<date>.diff is the whole FreeBSD
NAT-T patchset (also available on perforce.freebsd.org for those who
have access).

patch-ipsec-tools-HEAD-NATT-pfkey-cleanup-<date>.diff applies on
ipsec-tools CVS HEAD.


With those patches, NAT-T ports are now always sent via
SADB_X_EXT_NAT_T_[S|D]PORT, and never as ports in
SADB_EXT_ADDRESS_[SRC|DST] (which is not RFC2367 compliant)
Both ways are more or less used actually.


Basic tests with those patches works (a tunnel with NAT-T negociates
and works), but please note those patches are in a directory called
"experimental". At least, setkey hasn't be updated yet, and some
cleanups will need to be done before commiting.



Compatibility with existing IPsec+NAT-T stacks is also an issue (if
you compile without NAT-T support, you'll have NO issue at all) :

- racoon + patch won't work correctly on FreeBSD + old NAT-T patch
  (I'll generate at least an updated patch for FreeBSD 7.x).
- racoon + patch won't work correctly on NetBSD + NAT-T enabled.
- racoon + patch may work as good or even better on Linux... or not...
- racoon without patch won't work correctly on FreeBSD + new NAT-T
  patch.
- racoon without patch won't work correctly on updated NetBSD + NAT-T
  (no NetBSD patch yet).

Ipsec-tools team has still not decided how such compatibility issues
will be handled (or not...), any (good) idea is welcome !


Please send feedbacks/bug reports/patches/anything else directly on
ipsec-tools-devel or freebsd-net MLs (for respective patches), so
everyone interested will have the info.


Yvan.