Re: [IPsec] XFRM

Tue, 22 Mar 2011 03:46:25 -0700 

pf_key api originates from BSD , and was implemented in linux
too. However, there were several problems with the API: it did not
support all things needed and most importantly it never gained the
standardization it was intended to have. There are many variants of
this API.

Linux people decided to ditch this API and implemented the same
things in Netlink XFRM API in a more robust manner with additional
features. Consequently pf_key got deprecated in Linux. However, it
is still the only option in *BSD.

The BSD variants allow the port numbers. There used to be quite a
bit of differences on details, but it's supposedly better now. After
Linux developer deprecated the pf_key api they are refusing to add
new features to it. So to get the functionality you want in Linux
you need to use the native Linux API: Netlink XFRM. Or implement
the same things in Linux pf_key code (but these will not get accepted
to mainline kernel due to policy).

If you just need static IPsec SA's with port specific stuff in
Linux, you should be able to create them with "ip xfrm" command
from iproute2 package. If you need IKE keying, you need to use
some IKE daemon that talks to kernel with Linux Netlink XFRM as
I told before.

There are some option on the Linux IKE implementations. Ii is  generally
preferd that ipsec-tools since it uses openssl: but , {open,strong}swan seem 
to implement the XFRM API and IKEv2 amongst other interesting
things not supported by ipsec-tools.
One more thing , the port number(in SA) is not settable via pf_key programming API in Linux. 
This kind of functionality is possible via XFRM API

Best Regards ,
Ram

.



Ramesh wrote:

Hi,

I wanted to know about xfrm messages to configure IP sec.
Is it old tradition compared to PF_KEY mechanism ?
What is the current status of XFRM framework for IPsec


Thanks ,
Ramesh
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec





_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to