On Thu, 5 Aug 2004 11:09:34 +0100 Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote: > On Thursday 05 August 2004 10:33 am, richard lucassen wrote: > > > Anyone an explanation (or a link to an explanation) why the IPSEC > > implementation in kernel-2.6 doesn't use devices like "ipsec0"? > > My understanding of this is that the kernel developers simply didn't > like the concept of "virtual" interfaces for no (essential) reason. > When FreeS/WAN was a patch to the 2.4 kernel, it was necessary to > create these interfaces to get things working, but now that the code > is integrated inside the kernel itself, the pseudo-devices are no > longer needed, so they've been removed. > > I tend to agree with you that they were a useful way to keep track of > which packets were going where, and I think from a firewalling point > of view the new 2.6 implementation of IPsec is not as easy to work > with. I just found this pdf on the net with a clear explanation of what's going on. I'm glad to hear that I'm not the only one who's feeling uncomfortable with the IPSEC implementation in 2.6. Hopefully the newer versions of 2.6 will give us back the good old ipsec devices. http://www.xelerance.com/talks/linuxtag2004/IPseconLinux.pdf R. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+
