Why KAME/racoon sucks (was: OpenSWAN ANNOUCEMENT)

[Michael K. Johnson]

On Thu, Jan 08, 2004 at 02:33:32AM -0700, Dax Kelson wrote:
> Plus the OpenSWAN developers say that they have no problem accepting
> patches from Americans. This way, if needed, RH can feed patches
> upstream.

Yes, this is key.

> I heard that the "no-patches-from-americans" was one of the major
> stumbling block on getting FreeSWAN into RH.

Well, we need to separate kernel space from user space.

As kernel group manager, I asked for a review of the FreeSWAN kernel
patches because IPSEC was highly desirable.  The review came back very
long and overwhelmingly negative.  It was not a case of "there are a lot
of things to fix", but rather "this code is really not worth fixing".
This was not just an individual opinion, but rather a shared response
by all reviewers.

So the fact that they wouldn't accept patches from americans on the
kernel side didn't have the opportunity to be a practical problem
because our experts decided it was not fixable.  It would have been
a blocking problem otherwise.

When we decided that IPSEC was of strategic value, we asked David
Miller to do an IPSEC stack from scratch, designed for Linux and to be
acceptable to all the kernel maintainers.  There is no doubt that he
succeeded admirably.

The user space side, however, is an entirely different affair.  David was
certainly not happy with the FreeSWAN kernel patches, but while he
initially worked with kame/racoon for getting IPSEC going, he saw the
*SWAN development work on userspace and was impressed; he contacted me
to suggest that we consider switching.  Having a maintained user-space
that is intended for Linux and accepts patches without trying to score
political points is a big plus.

michaelkjohnson

 "He that composes himself is wiser than he that composes a book."
 Linux Application Development                     -- Ben Franklin
 http://people.redhat.com/johnsonm/lad/