Debian Bug report logs - #644353
Enabling IPSEC

version graph

Package: kfreebsd-9; Maintainer for kfreebsd-9 is GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>;

Reported by: Petr Salinger <Petr.Salinger@seznam.cz>

Date: Wed, 5 Oct 2011 05:57:01 UTC

Severity: wishlist

Found in version 9.1-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-8. (Wed, 05 Oct 2011 05:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petr Salinger <Petr.Salinger@seznam.cz>:
New Bug report received and forwarded. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Wed, 05 Oct 2011 05:57:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Petr Salinger <Petr.Salinger@seznam.cz>
To: Mats Erik Andersson <mats.andersson@gisladisker.se>
Cc: submit@bugs.debian.org
Subject: Re: Kernel 8.2-1 is not enable with IPSEC
Date: Wed, 5 Oct 2011 08:04:34 +0200 (CEST)
Package: kfreebsd-8

> I was under the impression that my pushinf for IPSEC support
> would have lead to that feature being enable in image 8.2,
> at least. Until a few minutes ago I have had a custom
> kernel 8.1 in use in order to evaluate ipsec-tools
> continuously. Now I have installed
>
>  kfreebsd-image-8.2-1-amd64
>
> and I must to my great disappointment observe that
> IPSec and pfkey is not activated in our prebuilt
> package. How come? I was under the impression that
> we all do agree on this matter.

Please could you be more specific, quick search give ne [1].
Many follow-up pointed you to use BTS.
It is our workflow. The mails can be easily forgotten,
but entries in BTS stay open.

In this particular case, which option and devices have to be added.
The [1] enlist:

>    option IPSEC
>    option IPSEC_NAT_T
>    device crypto
>    device enc

Have to be the devices built-in or can they be built as a modules ?
I would prefer to use modules, iff posible.

What have you used in your custom kernel 8.1 ?

This mail goes also into BTS, the debian-bsd@l.d.o will receive a copy 
with assigned bug number.

Your work is really appreciated, but please try to fit into our workflow.

Petr

[1] http://lists.debian.org/debian-bsd/2011/02/msg00055.html




Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-8. (Wed, 05 Oct 2011 08:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mats Erik Andersson <mats.andersson@gisladisker.se>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Wed, 05 Oct 2011 08:15:07 GMT) Full text and rfc822 format available.

Message #10 received at 644353@bugs.debian.org (full text, mbox):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>
To: 644353@bugs.debian.org
Subject: Re: Bug#644353: Kernel 8.2-1 is not enable with IPSEC
Date: Wed, 5 Oct 2011 10:11:00 +0200
onsdag den  5 oktober 2011 klockan 08:04 skrev Petr Salinger detta:
>
> In this particular case, which option and devices have to be added.
> The [1] enlist:
>
>>    option IPSEC
>>    option IPSEC_NAT_T
>>    device crypto
>>    device enc

All of these are needed for the desired IPSec functionality.

> Have to be the devices built-in or can they be built as a modules ?
> I would prefer to use modules, iff posible.
>
> What have you used in your custom kernel 8.1 ?

I made them built-in for my custom kernel, so I can make no
accurate prediction as to the possibility of building them
as modules.

The option IPSEC activates "pfkey" in the kernel, so is
mandatory for IPSec to work at all. IPSEC_NAT_T activates
additional abilities to follow addressing and is needed
to overcome IPv4 address rewriting external to the host.
It should be activated however.

Of these "enc" gives rise to a network device "enc0" where
decrypted traffic shows up, a device which is accessible for
filtering, so this feature is conceivable as a module.
It is not available as a module in present kfreebsd-image-8.2-1-amd64
presumably because the option IPSEC was not active.

"crypto" does the obvious thing in the kernel, "cryptodev"
is the corresponding part for user land. Both are built as
modules in the present kfreebsd-image-8.2-1-amd64. Only "crypto"
is needed for functional IPSec, since "pfkey" does the tracing
and routing, whereas "crypto" must do encryption, decryption,
and authentication work for IPSec to make any sense at all.




Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-8. (Wed, 05 Oct 2011 17:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <rmh@debian.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Wed, 05 Oct 2011 17:15:03 GMT) Full text and rfc822 format available.

Message #15 received at 644353@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@debian.org>
To: Petr Salinger <Petr.Salinger@seznam.cz>, 644353@bugs.debian.org
Cc: Mats Erik Andersson <mats.andersson@gisladisker.se>
Subject: Re: Bug#644353: Kernel 8.2-1 is not enable with IPSEC
Date: Wed, 5 Oct 2011 19:11:29 +0200
2011/10/5 Petr Salinger <Petr.Salinger@seznam.cz>:
>>   option IPSEC
>>   option IPSEC_NAT_T
>>   device crypto
>>   device enc
>
> Have to be the devices built-in or can they be built as a modules ?
> I would prefer to use modules, iff posible.

AFAIK everything that can be built as module already is.

Mats, if you want to build more things into kernel, the first question
that comes to mind is: why hasn't upstream built it in their GENERIC
config?

FreeBSD project has a lot more people and more knowledge about those
options, I think the best is to talk to them first.  Maybe they don't
have a reason not to enable them and it's just an oversight (this
happened with quota support IIRC).

-- 
Robert Millan




Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-8. (Wed, 05 Oct 2011 18:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mats Erik Andersson <mats.andersson@gisladisker.se>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Wed, 05 Oct 2011 18:09:03 GMT) Full text and rfc822 format available.

Message #20 received at 644353@bugs.debian.org (full text, mbox):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>
To: 644353@bugs.debian.org
Subject: Re: Bug#644353: Kernel 8.2-1 is not blessed with IPSEC
Date: Wed, 5 Oct 2011 20:00:56 +0200
onsdag den  5 oktober 2011 klockan 19:11 skrev Robert Millan detta:
> 2011/10/5 Petr Salinger <Petr.Salinger@seznam.cz>:
> >>   option IPSEC
> >>   option IPSEC_NAT_T
> >>   device crypto
> >>   device enc
> >
> > Have to be the devices built-in or can they be built as a modules ?
> > I would prefer to use modules, iff posible.
> 
> AFAIK everything that can be built as module already is.
> 
> Mats, if you want to build more things into kernel, the first question
> that comes to mind is: why hasn't upstream built it in their GENERIC
> config?

Good point. The official FreeBSD handbook, relevant to 8.2-RELEASED,
still claims, in chapter 14.9, that IPSec support would need a costum
built kernel.

> FreeBSD project has a lot more people and more knowledge about those
> options, I think the best is to talk to them first.  Maybe they don't
> have a reason not to enable them and it's just an oversight (this
> happened with quota support IIRC).

I will try to gather more information as to the reasons for Upstream
having chosen this path of action.


Regards,
  Mats E A




Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-8. (Fri, 07 Oct 2011 13:48:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mats Erik Andersson <mats.andersson@gisladisker.se>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 07 Oct 2011 13:48:11 GMT) Full text and rfc822 format available.

Message #25 received at 644353@bugs.debian.org (full text, mbox):

From: Mats Erik Andersson <mats.andersson@gisladisker.se>
To: 644353@bugs.debian.org
Subject: Re: Bug#644353: Kernel 8.2-1 is not blessed with IPSEC
Date: Fri, 7 Oct 2011 15:45:22 +0200
package kfreebsd-8
severity 644353 wishlist
thanks

There seem to be worries on the performance of the network stack
for standard servers, should the optionIPSEC be enabled as default.
The code alterations inserted by this option have been claimed
to be so wide that the stack be noticeably influence also without
and PFKEY being active on a particular system.

Based on such hints I lower the severity. Perhaps we should even
tag this as "wontfix", leaving it as a useful marker for the future.

Regards, MEA




Severity set to 'wishlist' from 'normal' Request was from Mats Erik Andersson <mats.andersson@gisladisker.se> to control@bugs.debian.org. (Fri, 07 Oct 2011 13:48:13 GMT) Full text and rfc822 format available.

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Mon, 02 Sep 2013 21:18:44 GMT) Full text and rfc822 format available.

Notification sent to Petr Salinger <Petr.Salinger@seznam.cz>:
Bug acknowledged by developer. (Mon, 02 Sep 2013 21:18:44 GMT) Full text and rfc822 format available.

Message #32 received at 644353-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 550429-done@bugs.debian.org,570805-done@bugs.debian.org,593733-done@bugs.debian.org,601273-done@bugs.debian.org,602120-done@bugs.debian.org,610252-done@bugs.debian.org,614419-done@bugs.debian.org,631613-done@bugs.debian.org,641167-done@bugs.debian.org,644353-done@bugs.debian.org,644718-done@bugs.debian.org,658617-done@bugs.debian.org,669604-done@bugs.debian.org,687788-done@bugs.debian.org,690986-done@bugs.debian.org,706418-done@bugs.debian.org,720470-done@bugs.debian.org,720476-done@bugs.debian.org,
Cc: kfreebsd-8@packages.debian.org, kfreebsd-8@packages.qa.debian.org
Subject: Bug#721540: Removed package(s) from unstable
Date: Mon, 02 Sep 2013 21:16:43 +0000
Version: 8.3-7+rm

Dear submitter,

as the package kfreebsd-8 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/721540

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)



Bug reassigned from package 'kfreebsd-8' to 'kfreebsd-9'. Request was from Robert Millan <rmh@debian.org> to control@bugs.debian.org. (Mon, 02 Sep 2013 22:15:04 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions 8.3-7+rm. Request was from Robert Millan <rmh@debian.org> to control@bugs.debian.org. (Mon, 02 Sep 2013 22:15:04 GMT) Full text and rfc822 format available.

Bug reopened Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Tue, 10 Sep 2013 10:03:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'Enabling IPSEC' from 'Kernel 8.2-1 is not enable with IPSEC' Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Tue, 10 Sep 2013 10:03:04 GMT) Full text and rfc822 format available.

Marked as found in versions 9.1-4. Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Tue, 10 Sep 2013 10:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-9. (Tue, 10 Sep 2013 10:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Tue, 10 Sep 2013 10:15:04 GMT) Full text and rfc822 format available.

Message #47 received at 644353@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 644353@bugs.debian.org
Subject: Re: Bug#644353: Enabling IPSEC
Date: Tue, 10 Sep 2013 11:12:33 +0100
Hi,

Many people are talking about using crypto as a matter of routine.

It would be really nice for IPSEC to be available in our kernels by
default as on Linux.  It may be important enough even if it means
diverging from upstream or if there is some overhead in doing so.

The basic functionality seems to work with the ipsec-tools package,
except for a problem enabling NAT-T (Bug #718224).

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#644353; Package kfreebsd-9. (Tue, 10 Sep 2013 16:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <rmh@debian.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Tue, 10 Sep 2013 16:18:04 GMT) Full text and rfc822 format available.

Message #52 received at 644353@bugs.debian.org (full text, mbox):

From: Robert Millan <rmh@debian.org>
To: debian-bsd@lists.debian.org, 644353@bugs.debian.org
Subject: Re: Bug#644353: Enabling IPSEC
Date: Tue, 10 Sep 2013 16:14:41 +0000
Steven Chamberlain:
> It would be really nice for IPSEC to be available in our kernels by
> default as on Linux.  It may be important enough even if it means
> diverging from upstream or if there is some overhead in doing so.

I haven't looked at this in detail, but what you say sounds very
convincing. Do you know why upstream isn't doing it? Perhaps they have a
reason we're unaware of.

-- 
Robert Millan



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:27:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.