[Swan] NetKey vs KLIPS

[Paul Wouters]

On Thu, 11 Sep 2014, Lawrence Manning wrote:

> In essence, what are the advantages to using NETKEY? Since the libreswan folks are committed to KLIPS, I’m assuming that KLIPS is considered superior. But why do others use NETKEY?

We actually recommend using NETKEY in most cases now:

https://libreswan.org/wiki/FAQ#Should_I_use_the_NETKEY_or_KLIPS_IPsec_stack_with_libreswan.3F

> I’ve used *swan since the days where FreeSwan needed to be patched to support x509 certs, and after trying out NEKEY for a few weeks in a test setup I found the routing/firewall mechanism harder to work with then KLIPS’s explicit ipsecX interfaces. But beside this, they seemed functionally similar. How does interoperability faire under NETKEY? Are there any known regressions compared to KLIPS? Eg. L2TP ontop of NETKEY/IPSec etc.

See the FAQ entry, but basically only regressions from KLIPS to
NETKEY are:

- The KLIPS SAref (which can be done probably with Linux VTI)
- The first+last packet caching for on-demand tunneling that NETKEY is still lacking.
- OCF cryptographic hardware offload support for embedded devices
   (somewhat available via the OCF cryptosoft driver for netkey)
- Load of a single IPsec SA not distributed over multiple cores/cpus
- No more easy tcpdump use of crypted and decrypted packets (might be
   doable with Linux VTI)
- incompatible iptables rules requiring a rewrite.

> In essence, I’m wondering if KLIPS will continue to be maintained “forever” or is it less pain now to just make the switch?

We will support KLIPS for a while, but we are not actively developing
for it. So it is mostly in maintanance mode, bringing it up for newer
kernels, etc. Some people still prefer KLIPS due to its much easier
use of firewalling and the ipsecX interfaces.

Paul