ipsec/ike2/isakmp are implemented in kernel afaik, with userspace tools to contr... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

_joel on Feb 8, 2017 | parent | context | favorite | on: WireGuard Presentation at FOSDEM17 [video]

ipsec/ike2/isakmp are implemented in kernel afaik, with userspace tools to control them and they're used pretty heavily in commercial scenarios(for office to office vpn or vpn into cloud tenancy etc). OpenVPN/Tinc etc are userspace and seem to be popular for consumers as they require less coupling and relatively easy to setup.

In terms of whether that's good or bad, it depends on your requirements and what's optimal to you. If you think about the problems in OpenSSL, which backs OpenVPN, then that's been a fairly large attack surface vector. Compare that to ipsec/ike2 kernel related vectors and weigh up the setup/learning/deployment costs of both.

sargun on Feb 9, 2017 [–]

IPSec is in the kernel. IKE is outside in userland. IKE tends to be the parts that get compromised often and IPSec in itself is pretty simple.

Putting control planes in the kernel is the worrying part IMHO.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact