#
433cd47b |
| 07-Aug-2023 |
dlg <dlg@openbsd.org> |
add sec(4) to support route based ipsec vpns.
ipsec security associations (SAs, aka tdbs inside the kernel) can now specify that they're to be used with an interface (using TDBF_IFACE) rather than t
add sec(4) to support route based ipsec vpns.
ipsec security associations (SAs, aka tdbs inside the kernel) can now specify that they're to be used with an interface (using TDBF_IFACE) rather than the ipsec security policy database. sec(4) is the driver providing that interface.
the name is specifically chosen to not be ipsec(4) because that's already taken by the manpage for the ipsec stack generally. sec(4) is short, easy to type and pronounce, and kind of sounds like ipsec anyway. the names for this type of interface in other platforms seems to be universally terrible and too generic, so i didn't want to copy any of those either.
sec(4) can be considered equivalent to gif(4) protected by ipsec, and on the wire it actually looks the same. sec(4) exists to better support how security associations for route-based ipsec VPNs are negotiated and to avoid SPD entries for them.
the code is a little green, but i'm putting it in now so it can be hacked on in the tree.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
show more ...
|