NAME
Fast IPsec
- hardware-accelerated IP Security Protocols
SYNOPSIS
options FAST_IPSEC
options IPSEC_NAT_T
pseudo-device crypto
DESCRIPTION
IPsec
is a set of protocols,
ESP
(for Encapsulating Security Payload)
AH
(for Authentication Header),
and
IPComp
(for IP Payload Compression Protocol)
that provide security services for IP datagrams.
Fast IPsec
is an implementation of these protocols that uses the
opencrypto(9)
subsystem to carry out cryptographic operations.
This means, in particular, that cryptographic hardware devices are
employed whenever possible to optimize the performance of these protocols.
In general, the
Fast IPsec
implementation is intended to be compatible with the
KAME IPsec
implementation.
This documentation concentrates on differences from that software.
The user should refer to
ipsec(4)
for basic information on setting up and using these protocols.
System configuration requires the
opencrypto(9)
subsystem.
When the
Fast IPsec
protocols are configured for use, all protocols are included in the system.
To selectively enable/disable protocols, use
sysctl(8).
DIAGNOSTICS
To be added.
SEE ALSO
ipsec(4),
setkey(8),
sysctl(8),
opencrypto(9)
HISTORY
The protocols draw heavily on the
OpenBSD
implementation of the
IPsec
protocols.
The policy management code is derived from the
KAME
implementation found in their
IPsec
protocols.
The
Fast IPsec
protocols are based on code which appeared in
FreeBSD4.7.
The
NetBSD
version is a close copy of the
FreeBSD
original, and first appeared in
NetBSD2.0.
Support for IPv6 and
IPcomp
protocols has been added in
NetBSD4.0.
Support for IPSEC_NAT_T
(Network Address Translator Traversal as
described in RFCs 3947 and 3948) has been added in
NetBSD5.0.
BUGS
There still are some issues in the IPv6 support.
In particular
FAST_IPSEC
does not protect packets with IPv6 extension headers.
Certain legacy authentication algorithms are not supported because of
issues with the
opencrypto(9)
subsystem.
This documentation is incomplete.