Difference between KLIPS and Netkey IPSEC stacks in Linux

awatan picture awatan · Jun 1, 2013 · Viewed 9.1k times · Source

I know both are IPSEC stacks in Linux kernel and that KLIPS is older and Netkey is newer but other than that I find no other documentation of them. I want to know the real technical differences between them. Is there any one here who can tell me the difference or share some documentation source?

Any help would be appreciated.

Answer

John Smith Optional picture John Smith Optional · Aug 30, 2014

From the article linked by shdobxr, the most relevant part regarding the difference between KLIPS and Netkey seems to be the following:

When you apply firewall (iptables) rules, KLIPS is the easier case, because with KLIPS, you can identify IPsec traffic, as this traffic goes through ipsecX interfaces. You apply iptables rules to these interfaces in the same way you apply rules to other network interfaces (such as eth0).

When using NETKEY, applying firewall (iptables) rules is much more complex, as the traffic does not flow through ipsecX interfaces; one solution can be marking the packets in the Linux kernel with iptables (with a setmark iptables rule). This mark is a member of the kernel socket buffer structure (struct sk_buff, from the Linux kernel networking code); decryption of the packet does not modify that mark.

Writing in 2014, all linux distros should now come with a kernel that support both KLIPS and Netkey.