svn commit: r218794 - in head: . sys/netipsec

Pawel Jakub Dawidek pjd at
Sat Feb 19 07:34:41 UTC 2011

On Fri, Feb 18, 2011 at 09:40:13AM +0000, VANHULLEBUS Yvan wrote:
> Author: vanhu
> Date: Fri Feb 18 09:40:13 2011
> New Revision: 218794
> URL:
> Log:
>   Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant.
>   This will break interoperability with all older versions of
>   FreeBSD for those algorithms.
>   Reviewed by:	bz, gnn
>   Obtained from:	NETASQ
>   MFC after:	1w

First of all, I can't see such a change being merged to stable, where
going from 8.2 to 8.3 will break IPsec tunnels.
Second of all I really think that an UPDATING entry is not enough.
We should at least provide sysctl to change it back and if we can detect
this based on packet size, it would be best to log a warning that the
other side is using old implementation and it (the other side) should be
either upgraded or this sysctl should be changed locally to enable old
behaviour. I'm happy to remove such sysctl after one full major release,
so we won't support tunnels between FreeBSD 8 and FreeBSD 10, but we
should IMHO definitely support tunnels between both 8-9 and 9-10.

Pawel Jakub Dawidek             
pjd at                 
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the svn-src-all mailing list