FreeBSD NAT-T patch integration [CFR/CFT]

VANHULLEBUS Yvan vanhu at
Mon Jul 21 14:27:00 UTC 2008

[Larry, I kept you in an explicit CC, even if I guess you suscribed to
the list]

On Mon, Jul 21, 2008 at 09:26:15AM +0000, Bjoern A. Zeeb wrote:
> On Wed, 16 Jul 2008, Sam Leffler wrote:
> Hi,


> My main concern at the moment is the API (pfkey stuff) to userland as
> Yvan had stated in <20080626075307.GA1401 at>.

It is also one of my main concerns actually.

> I know that at the moment there seems to be one public (pseudo) reference
> implementation this all works together but there might be/are other
> people not using libipsec from ipsec-tools.

Well, people who use another libipsec are expected to "just" not see
NAT-T extensions.

The only "real issue" is that, actually, NAT-T ports are sent though
sockaddr structs, when RFC 2367 says that zeroing ports MUST be done
(section 2.3.3).

There is already an open ticket on ipsec-tools side to cleanup that
part of the code on userland's size of PFKey interface, and I hope
it will be done for 0.8.0 release (sorry, no release date for now).

As soon as I'll have a working patch on userland, I'll do the work on
FreeBSD's kernel side. I hope everything will be done within a few
weeks, but I already know that we'll have backward compatibility
issues with various kernels (ipsec-tools runs at least on FreeBSD,
NetBSD, Linux and MacOSX).


More information about the freebsd-net mailing list