1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FreeBSD 9.x IPSEC

Discussion in 'Networking' started by gkontos, Sep 19, 2012.

  1. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    Hi all,

    I am really curious in regards to IPSEC implementation in FreeBSD 9.x versus FreeBSD 8.x

    So far the only information I have found are from the Release notes but it doesn't seem to cover my questions.

    More specifically, I am interested to find out the current implementation of IPSEC in FreeBSD in regards to IPv6.

    I would appreciate if anyone could point me to a more recent, current documentation.

    Thanks
     
  2. throAU

    throAU New Member

    Messages:
    912
    Likes Received:
    0
    Reading the release notes it looks like 9.0 has been changed to be RFC 4868 compliant, rather than some FreeBSD quirk.

    See RFC4868

    According to the release notes this means FreeBSD9 -> Previous FreeBSD will not work with IPSEC.

    As I understand it, IPSEC is a mandatory component of IPV6?


    Sorry I haven't tested IPV6 at all with IPSEC, and my previous IPSEC experience with FreeBSD is from back in the 4.x days :) However, from the looks of it, my ASSUMPTION is that if IPV6 with IPSEC worked previously, it should work now, so long as the boxes involved are either both FreeBSD 9.x, FreeBSD 9.x to an RFC 4868 compliant device, or both previous versions of FreeBSD.
     
  3. kpa

    kpa Member

    Messages:
    3,994
    Likes Received:
    5
    Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".
     
  4. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
  5. throAU

    throAU New Member

    Messages:
    912
    Likes Received:
    0
    Not mandatory to make a connection via IPv6 (i.e., connect to your tunnel broker), but mandatory to claim that you have an IPv6 implementation.

    If your device/OS doesn't support IPSec, then it doesn't have a complete IPv6 implementation.
     
  6. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    That's where the confusion begins.

    • IPSEC is mandatory for IPv6 (RFC1752).
    • Earlier versions of FreeBSD < 9 where based on the KAME project which actually provided the necessary IPSEC implementation.

    After FreeBSD 9.0-RELEASE it is my understanding that the KAME project is no longer being used for IPv6. Yet, IPv6 works natively without having to build a custom KERNEL with IPSEC.
     
  7. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.

    It's fairly simple actually, if you want to support IPv6 you must also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.
     
  8. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    Ok, that makes sense. I was not aware of the fact that the KAME project got integrated into FreeBSD.

    I know IPSEC is mandatory for IPv6 to work. That is why I got confused in the first place.

    So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?
     
  9. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,365
    Likes Received:
    0
    I think it's safe to conclude the entire handbook could use a little TLC ;)
     
  10. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    You are right about that ;)
     
  11. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,168
    Likes Received:
    7
    When you see things that need to be updated in the Handbook, please enter a PR. Be as specific as you can about what is wrong or missing. Patches are even better. Without a PR, things can coast along with nobody realizing there is a problem.
     
  12. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    You are absolutely right and I will. As a matter of fact the FreeBSD Handbook is a very valuable piece of information. We need to keep it up to date because during the last 8 years that I am following FreeBSD closely, a lot of things have changed.
     
  13. gkontos

    gkontos Member

    Messages:
    1,385
    Likes Received:
    1
    Some new developments in my research so far:

    IPSEC implementation is mandatory for IPv6, IPSEC deployment is not.

    It turns out that the word "must" has changed to "should". See RFC 6434.

    Link: http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554