From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Mon,  4 Apr 2005 08:56:35 -1000
From: Tim Newsham <newsham@lava.net>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] Secure ftp Again
In-Reply-To: <77158a75ac9ee53bb9de3e5763b11f16@collyer.net>
Message-ID: <Pine.BSI.4.61.0504040854060.5105@malasada.lava.net>
References: <77158a75ac9ee53bb9de3e5763b11f16@collyer.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: micah@stetsonnet.org
Topicbox-Message-UUID: 330a7b00-ead0-11e9-9d60-3106f5b1d025

> Avoiding this was sort of thing was surely part of the motivation for
> IPsec, but presotto points out (I hope I'm not misrepresenting him)
> that implementing IPsec, at least in the kernel, is messy, requiring
> lots of state and the ability to interrupt and restart cryptographic
> computations at awkward times.

Most of the complexity in IPSEC lies in the key negotiation protocol. 
The actual per-packet handling (encryption and authentication) is pretty 
simple. The key negotiation protocols do not need to reside in the kernel, 
in fact in most implementations they do not.

Tim Newsham
http://www.lava.net/~newsham/