Next: Kerberos
Up: IP Security (IPsec)
Previous: OpenBSD IPsec
Our IPsec implementation is under constant development and
improvement, as there remain a number of unresolved issues.
- Our IPv6 stack is not yet integrated with our IPsec
implementation.
- We want a more flexible, possibly unified policy mechanism. In
particular, we are looking into merging routing, security policy, and
protocol block lookups.
- Develop or borrow a policy API, rather than use private
extensions to PF_KEY and PF_ROUTE.
- isakmpd has not yet covered all mandatory requirements in
the RFCs.
- A DNSSEC [9] implementation, and integration in
isakmpd and photurisd, will be needed for opportunistic
encryption.
- isakmpd and photurisd are not linked with
libssl so they will not automatically support RSA when an
RSA-supporting libssl is installed.
- We do not currently do on-demand keying (a facility available in
the past through the PF_ENCAP API).
- Finally, we intend to support some application API for
requesting security and possibly other services. With that in place,
we intend to have all networking applications take advantage of IPsec.
All of these are improvements that we want to address in the
time-frame for the next release.
Next: Kerberos
Up: IP Security (IPsec)
Previous: OpenBSD IPsec
& D. Keromytis
4/26/1999