summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_ipsp.h
AgeCommit message (Collapse)Author
2000-10-14ASKPOLICY message; used by key management to inquire about policyAngelos D. Keromytis
triggering an ACQUIRE.
2000-10-09AES support.Angelos D. Keromytis
2000-09-20Add IDENTITY payloads to flow establishment (and cleanup accordingly)Angelos D. Keromytis
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm).
2000-09-19SA bundles.Angelos D. Keromytis
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-06-18Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()Angelos D. Keromytis
2000-06-18IPv6 AH/ESP support, inbound side only. tested with KAME.Jun-ichiro itojun Hagino
2000-06-06Get rid of tdb_ref, keep indirect pointer to TDB.Angelos D. Keromytis
2000-06-01ipsp_acquire_sa()Angelos D. Keromytis
2000-06-01Prototype for ipsp_spd_lookup()Angelos D. Keromytis
2000-04-19tdb_ref should be signed, this avoid a problem with flushing the TDBAngelos D. Keromytis
table causing repeated allocations of bypass TDBs.
2000-03-29Conform to crypto framework changes for IVs.Angelos D. Keromytis
2000-03-17Cryptographic services framework, and software "device driver". TheAngelos D. Keromytis
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
2000-02-28move crypto codeTheo de Raadt
2000-01-27Merge "old" and "new" ESP and AH in two files (one for each).Angelos D. Keromytis
Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
2000-01-21Rename the ip4_* routines to ipip_*, make it so GIF tunnels are notAngelos D. Keromytis
affected by net.inet.ipip.allow (the sysctl formerly known as net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
2000-01-13mbuf **, not mbuf * you twit...Angelos D. Keromytis
2000-01-13Add an ip4_input6() for use with IPv6 (just a wrapper forAngelos D. Keromytis
ip4_input()), add prototype, ifdef include files.
2000-01-13put_flow(), find_flow(), and delete_flow() get a third argument (forAngelos D. Keromytis
ingress or egress flow)
2000-01-10Add 10 new ipsec-related sysctl variables...they are currently underAngelos D. Keromytis
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
2000-01-10Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; theAngelos D. Keromytis
amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
2000-01-09externalize ipsec_aclAngelos D. Keromytis
1999-12-29fix _input/_output proto changes for tcp_signature; angelos@ okMichael Shalayeff
1999-12-25Move the IPsec packet-processing loop to a separate routine, so we canAngelos D. Keromytis
reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon.
1999-12-08Fix debugging printf compilation.Angelos D. Keromytis
1999-12-08IPv6 header handling, improve IPv4 option handling support.Angelos D. Keromytis
1999-12-06New ESP code that's v4 and v6 friendly.Angelos D. Keromytis
1999-12-04Address independence, IPv6 support, and the -local flag in ipsecadm isAngelos D. Keromytis
no longer needed.
1999-10-29New field in tdb, to be used with bridging.Angelos D. Keromytis
1999-10-29Get rid of unnecessary third argument in *_output routines of IPsec.Angelos D. Keromytis
1999-10-29Remove unnecessary argument from ipe4_output() and etherip_output()Angelos D. Keromytis
1999-10-28Add Ethernet-IP encapsulation handling.Angelos D. Keromytis
1999-09-29Critical reliability fix for IPsec. On i386 splsoftclock is notNiklas Hallqvist
a perfect emulation of a "real" architecture's splsoftclock, as it assumes it is only invoked from higher spl levels. Use splsoftnet instead.
1999-08-10Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdbHakan Olsson
1999-08-05Add tdb_walk. tdb_delete() should clean up routes when deleting flows.Hakan Olsson
1999-07-15From angelos@, edits by me, demand keying for PF_KEYNiklas Hallqvist
1999-07-06Added support for TCP MD5 option (RFC 2385).cmetz
1999-06-30remove final low-level crypto knowledge from base ipsec codeTheo de Raadt
1999-06-18split out transforms; some debugging done but there may still be bugs inTheo de Raadt
the new key init/zero functions
1999-06-06Ident.Angelos D. Keromytis
1999-05-23SA hash table resizingNiklas Hallqvist
1999-05-20Fix a bug where the ordered expiration list could get out of order. AddNiklas Hallqvist
invariant checking of the lists when DIAGNOSTIC compiled. Extend the critical region to cover all of tdb_expiration so the tdb won't disappear behind our back.
1999-05-16spltdb introduced, protection for tdb lists and related structures, soNiklas Hallqvist
they won't disappear behind our back by an expiration. Cleanup expiration logic too.
1999-05-14A new scalable IPsec SA expiration model.Niklas Hallqvist
1999-05-11Remove cruft that wasted space en masse in the IPsec subsystemNiklas Hallqvist
1999-04-11Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.Niklas Hallqvist
If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
1999-03-27add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoingNiels Provos
SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
1999-02-25Move union sockaddr_union to ip_ipsp.hAngelos D. Keromytis
1999-02-24Update copyright; remove a few annoying debugging printfs.Angelos D. Keromytis
Btw, OpenBSD hit 25000 commits a couple commits ago.
1999-02-24add skipjack support backTheo de Raadt