• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Supporting RFC 2395 (LZS compression for IPcomp)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Supporting RFC 2395 (LZS compression for IPcomp)

  • Subject: Supporting RFC 2395 (LZS compression for IPcomp)
  • From: Alastair Rankine <email@hidden>
  • Date: Tue, 06 Apr 2004 05:59:55 +1000
Not sure if this is the right forum for this question...

The goal is to support VPN connections using RFC 2395 (LZS compression for IPcomp). Certain VSUs are configured to compress outbound traffic using this protocol. By default, darwin (and other KAME-based IPsec implementations) do not support this protocol.

Unfortunately LZS compression is patent encumbered. From the RFC:

Hi/fn, Inc. holds patents on the LZS algorithm. Licenses for a
reference implementation are available for use in IPPCP, IPSec, TLS
and PPP applications at no cost. Source and object licenses are
available on a non-discriminatory basis.

My reading of this says that including an implementation of LZS compression into the darwin IPsec stack would require Apple to license it from Hi/fn. Does anyone want to comment on the likelihood of this?

There may be another way however - I have heard that the linux folks are moving towards extensibility in their kernel for cases such as this. In particular, they are allowing additional compression/encryption/digest algorithms to be loaded dynamically into the kernel. This decouples the kernel from licensing restrictions for such algorithms.

I understand that the changes required are quite limited in scope. In order to add LZS compression, we simply need to modify the ipcomp_algorithm struct within ipcomp_core.c with pointers to the correct compression/decompression functions. Unfortunately this seems to require a kernel rebuild. How difficult would it be to allow this struct (and possibly it's equivalents in the other *_core.c modules) to be extended at runtime?
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.

  • Prev by Date: any info on next-gen firewall (ipfw2)?
  • Next by Date: NKE filter
  • Previous by thread: Re: any info on next-gen firewall (ipfw2)?
  • Next by thread: NKE filter
  • Index(es):
    • Date
    • Thread