# FreeBSD 9.x IPSEC



## gkontos (Sep 19, 2012)

Hi all,

I am really curious in regards to IPSEC implementation in FreeBSD 9.x versus FreeBSD 8.x

So far the only information I have found are from the Release notes but it doesn't seem to cover my questions.

More specifically, I am interested to find out the current implementation of IPSEC in FreeBSD in regards to IPv6.

I would appreciate if anyone could point me to a more recent, current documentation.

Thanks


----------



## throAU (Sep 20, 2012)

Reading the release notes it looks like 9.0 has been changed to be RFC 4868 compliant, rather than some FreeBSD quirk.

See RFC4868

According to the release notes this means FreeBSD9 -> Previous FreeBSD will not work with IPSEC.

As I understand it, IPSEC is a mandatory component of IPV6?


Sorry I haven't tested IPV6 at all with IPSEC, and my previous IPSEC experience with FreeBSD is from back in the 4.x days   However, from the looks of it, my ASSUMPTION is that if IPV6 with IPSEC worked previously, it should work now, so long as the boxes involved are either both FreeBSD 9.x, FreeBSD 9.x to an RFC 4868 compliant device, or both previous versions of FreeBSD.


----------



## kpa (Sep 20, 2012)

throAU said:
			
		

> As I understand it, IPSEC is a mandatory component of IPV6?



Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".


----------



## SirDice (Sep 20, 2012)

IPSec is most definitely part of the IPv6 specs. 



> IPsec is a mandatory component for IPv6, and therefore, the IPsec security model is required to be supported for all IPv6 implementations in near future. In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header.


http://www.ipv6.com/articles/security/IPsec.htm

http://www.freebsd.org/doc/en/books/developers-handbook/ipv6.html#ipsec-implementation


----------



## throAU (Sep 20, 2012)

kpa said:
			
		

> Not really as far as I understand. I'm using IPv6 from a tunnel broker (SixXS) and I haven't seen a single mention that IPSEC should be enabled yet in the documentation or the FAQs nor does my system have any sort of IPSEC system installed other than what comes by default in 9.1-RC1. I guess it's more of "has to support IPSEC if needed" than "has to implement IPSEC by default".



Not mandatory to make a connection via IPv6 (i.e., connect to your tunnel broker), but mandatory to claim that you have an IPv6 implementation.

If your device/OS doesn't support IPSec, then it doesn't have a complete IPv6 implementation.


----------



## gkontos (Sep 20, 2012)

That's where the confusion begins.


IPSEC is mandatory for IPv6 (RFC1752).
Earlier versions of FreeBSD < 9 where based on the KAME project which actually provided the necessary IPSEC implementation.

After FreeBSD 9.0-RELEASE it is my understanding that the KAME project is no longer being used for IPv6. Yet, IPv6 works natively without having to build a custom KERNEL with IPSEC.


----------



## SirDice (Sep 20, 2012)

The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.

It's fairly simple actually, if you want to support IPv6 you _must_ also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.


----------



## gkontos (Sep 20, 2012)

SirDice said:
			
		

> The KAME project was integrated into FreeBSD. Which marked the end of the KAME project. It was further developed as a standard part of FreeBSD. In a similar fashion as TrustedBSD got integrated.



Ok, that makes sense. I was not aware of the fact that the KAME project got integrated into FreeBSD.



			
				SirDice said:
			
		

> It's fairly simple actually, if you want to support IPv6 you _must_ also support IPv6 IPSec. It's an integral part of the protocol. This is different from IPv4 where you had to add support for IPSec and IPv4 and IPSec are more or less separate entities.



I know IPSEC is mandatory for IPv6 to work. That is why I got confused in the first place. 

So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?


----------



## SirDice (Sep 20, 2012)

gkontos said:
			
		

> So, to conclude is it safe to say that the HANDBOOK has to be modified in regards to distinguishing that those options are only applicable to IPv4?


I think it's safe to conclude the entire handbook could use a little TLC


----------



## gkontos (Sep 20, 2012)

SirDice said:
			
		

> I think it's safe to conclude the entire handbook could use a little TLC



You are right about that


----------



## wblock@ (Sep 20, 2012)

When you see things that need to be updated in the Handbook, please enter a PR.  Be as specific as you can about what is wrong or missing.  Patches are even better.  Without a PR, things can coast along with nobody realizing there is a problem.


----------



## gkontos (Sep 20, 2012)

wblock@ said:
			
		

> When you see things that need to be updated in the Handbook, please enter a PR.  Be as specific as you can about what is wrong or missing.  Patches are even better.  Without a PR, things can coast along with nobody realizing there is a problem.



You are absolutely right and I will. As a matter of fact the FreeBSD Handbook is a very valuable piece of information. We need to keep it up to date because during the last 8 years that I am following FreeBSD closely, a lot of things have changed.


----------



## gkontos (Sep 23, 2012)

Some new developments in my research so far:

IPSEC implementation is mandatory for IPv6, IPSEC deployment *is not*.

It turns out that the word "must" has changed to "should". See RFC 6434.



> The RIPE IPv6 Working Group has extensively discussed whether to make IPsec support mandatory or optional.  The most vocal constituents showed support for moving IPsec to the optional sections, which is what is reflected in this document.



Link: http://www.ripe.net/ripe/docs/current-ripe-documents/ripe-554


----------

