[Swan] NetKey vs KLIPS

Lawrence Manning lawrence.manning at smoothwall.net
Thu Sep 11 19:10:23 EEST 2014 

On 11 Sep 2014, at 15:53, Paul Wouters <paul at nohats.ca> wrote:

> - The first+last packet caching for on-demand tunneling that NETKEY is still lacking.

Yes, this was an annoyance when I looked at this. Any idea if it can ever be fixed, or does it have that behaviour as a result of a  design decision?

> - OCF cryptographic hardware offload support for embedded devices
>  (somewhat available via the OCF cryptosoft driver for netkey)

Interesting. One would think this would be a problem for KLIPS not NETKEY, since NETKEY is “core” kernel code.

> - No more easy tcpdump use of crypted and decrypted packets (might be
>  doable with Linux VTI)

This is certainly irritating. It’s not just tcpdump but also in theory programs like snort benefit from the separation which the ipsec interfaces provide. (Yes I’ve been known to fire up snort on ipsec tunnels..)

> - incompatible iptables rules requiring a rewrite.

At first I really thought this was a big problem, but the same functionality you get from an interface match are available in other ways (and indeed the control is finer grained). So this is not a problem, just a sign of progress.

>> In essence, I’m wondering if KLIPS will continue to be maintained “forever” or is it less pain now to just make the switch?
> 
> We will support KLIPS for a while, but we are not actively developing
> for it. So it is mostly in maintanance mode, bringing it up for newer
> kernels, etc. Some people still prefer KLIPS due to its much easier
> use of firewalling and the ipsecX interfaces.

I think the summary, for us, is there is no compelling reason to switch to NETKEY, but we will “one day”. I’m very very pleased that libreswan gives us this level of choice. It’s really appreciated.

-- 

Lawrence Manning
Founder and Developer
lawrence.manning at smoothwall.net

Smoothwall Ltd
Phone: +44 (0) 8701 999500
www.smoothwall.net

Smoothwall Limited is registered in England, Company Number: 4298247 and whose registered address is 1 John Charles Way, Leeds, LS12 6QA United Kingdom 
This email and any attachments transmitted with it are confidential to the intended recipient(s) and may not be communicated to any other person or published by any means without the permission of Smoothwall Limited. Any opinions stated in this message are solely those of the author.

More information about the Swan mailing list