add sec(4) to support route based ipsec vpns.
ipsec security associations (SAs, aka tdbs inside the kernel) can
now specify that they're to be used with an interface (using
TDBF_IFACE) rather than the ipsec security policy database. sec(4)
is the driver providing that interface.
the name is specifically chosen to not be ipsec(4) because that's
already taken by the manpage for the ipsec stack generally. sec(4)
is short, easy to type and pronounce, and kind of sounds like ipsec
anyway. the names for this type of interface in other platforms
seems to be universally terrible and too generic, so i didn't want
to copy any of those either.
sec(4) can be considered equivalent to gif(4) protected by ipsec,
and on the wire it actually looks the same. sec(4) exists to better
support how security associations for route-based ipsec VPNs are
negotiated and to avoid SPD entries for them.
the code is a little green, but i'm putting it in now so it can be
hacked on in the tree.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
projects / openbsd / commit