Linux 2.5 IPsec backported to 2.4

David Miller is maintaining a backport (caution, link requires BitKeeper) of the new IPsec kernel infrastructure in the Linux 2.5 kernel.

This is important for a couple of reasons. It means that we are likely to see RedHat, at least, shipping this code in the near future. Being able to go from a Linux 2.4 to an eventual Linux 2.6 kernel without changing your IPsec configuration is very attractive.

More importantly, however, is that the new IPsec infrastructure fits much more cleanly into the IP stack. FreeSWAN has been around for Linux for years, but their somewhat byzantine way of intercepting packets for encryption/decryption breaks dynamically routed environments. While these problems can be worked around (typically by setting up GRE tunnels and then running FreeSWAN through them — blurgh), a clean, integrated IPsec implementation in the Linux kernel is long overdue. Plus, folks in the US will be able to contribute to this project, whch they weren’t able to do with FreeSWAN, due to the project’s concern with American crypto export laws.

But this doesn’t mean that FreeSWAN will go away entirely, however. For pre-2.4 Linux kernels, it remains the only viable option for IPsec. And, work has already begun to port some of the FreeSWAN user-space tools, most notably the Opportunistic Encryption infrastructure, to the new kernel hooks. Herbert Xu appears to be leading up this effort.