Contributed by jose on from the interop-in-IPSec dept.
best regards,
Markus
http://archives.neohapsis.com/archives/openbsd/cvs/2003-12/0022.html
CVS: cvs.openbsd.org: src From: Markus Friedl (markuscvs.openbsd.org) Date: Tue Dec 02 2003 - 17:16:29 CST CVSROOT: /cvs Module name: src Changes by: markuscvs.openbsd.org 2003/12/02 16:16:29 Modified files: sys/netinet : ip_esp.h ip_ipsp.c ip_ipsp.h ipsec_input.c, ipsec_output.c, udp_usrreq.c sys/net : pfkeyv2.h pfkeyv2.c, pfkeyv2_parsemessage.c, pfkeyv2_convert.c sbin/ipsecadm : ipsecadm.8 ipsecadm.c pfkdump.c sbin/sysctl : sysctl.8 usr.bin/netstat: inet.c Log message: UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
(Comments are closed)
By Openvpn () on
Comments
By n00b () on
Comments
By Anonymous Coward () on
By gwyllion () on
Comments
By Foxy () foxy@free.fr on http://foxy.free.fr
In recent messages, Markus said that he does want to develop full NAT-T support (isakmp part) beacause of patent issues :-(
But how to use ESP in UDP encapsulation with manual keying ?
Comments
By MotleyFool () motley@dawg.org on mailto:motley@dawg.org
http://marc.theaimsgroup.com/?l=openbsd-cvs&m=107040722926454&w=2
By gwyllion () on
I just wanted to point out that the CVS entry explicitely mentioned NAT/T as one of the applications of ESP in UDP encapsulation.
Comments
By MotleyFool () motley@dawg.org on mailto:motley@dawg.org
CVSROOT: /cvs
Module name: src
Changes by: markus@cvs.openbsd.org 2003/12/02 16:16:29
Modified files:
sys/netinet : ip_esp.h ip_ipsp.c ip_ipsp.h ipsec_input.c
ipsec_output.c udp_usrreq.c
sys/net : pfkeyv2.h pfkeyv2.c pfkeyv2_parsemessage.c
pfkeyv2_convert.c
sbin/ipsecadm : ipsecadm.8 ipsecadm.c pfkdump.c
sbin/sysctl : sysctl.8
usr.bin/netstat: inet.c
Log message:
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)
ok deraadt@
By Foxy () foxy@free.fr on http://foxy.free.fr
And for full NAT-T support we need implementation for "Negotiation of NAT-Traversal in the IKE", see http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-07.txt
Comments
By MotleyFool () mott@dawgg.org on mailto:mott@dawgg.org
see http://www.openbsd.org/cgi-bin/man.cgi?query=ipsecadm&sektion=8&arch=i386&apropos=0&manpath=OpenBSD+Current
-udpencap
Enable ESP-inside-UDP encapsulation. The UDP destination port must be specified on the command line. This port will be used for sending encapsulated UDP packets.
YMMV
it's a start
Comments
By Anonymous Coward () on
Its pretty sad where things are at considering OpenBSD used to be thought of as the best VPN platform.
Comments
By gwyllion () on
Comments
By Anonymous Coward () on
Comments
By gwyllion () on
Patent law is not going to change this millenium. IETF just sucks: writing standard which you can't use because of patents is just plain stupid.
OpenBSD was able to work around the VRRP problems by inventing their own stuff (CARP). This will not work for NAT/T because you need interoperable implementations. Instead you should send emails to SSH Communications and Microsoft asking they drop their patent claims and allow for free usage.
Comments
By Anonymous Coward () on
OpenBSD is already infringing on a bunch of other stupid invalid patents, why is this somehow different?
Comments
By gwyllion () on
Microsoft has no patent,
Please read Microsoft's Patent Claim pertaining to draft-ietf-ipsec-nat-t-ike and draft-ietf-ipsec-udp-encaps
and ssh.com has a pending application last I heard, and has clearly said anyone can use it to implement nat-t as required by standards.
Please read SSH's Patent Statement pertaining to NAT . It says the following:
"This statement is limited in that SSH Communications Security Corp retains the right to assert said patents against any party and any subsidiary of a party that asserts a patent it owns or controls, either directly or indirectly, against SSH Communications Security Corp or any of its subsidiaries or successors in title for any implementation of or operation of any software or system implementing technology specified by the IETF."
This statement clearly contradicts OpenBSD's goal of making available source code that anyone can use for any purpose, with no restrictions . Including NAT/T would imply restrictions: if you use NAT/T, you can not sue SSH Communications Security based on patents you have.
Comments
By Bacon (216.237.6.254) on