This is a very short description of the individual bits and pieces
of IPNSEC as of version 0.84.

1. The kernel

The Linux 2.0.33 kernel is patched with a provided patch, so that
during IP processing a new firewall call for a pseudo-adress family
PF_IPSEC is called. Although the hooks are present for both incoming
and outgoing traffic, only the outgoing hooks are used at the moment.
The call_fw_firewall call is used for getting the MTU of the device
before installing IPSec, which is an ugly hack (this is inherited
from ENskip and hopefully will change soon).

Besides the firewall hooks, the sockets know about authentication
and encryption levels and there is a sockopt to set and get these.

The kernel checks that the packet processed via a particular socket
do match the requested policy.

Everything else is just sugar to get the above functionality working
(like an extra argument to all firewall calls, which is now part
of the 2.1.xx kernel train).

2. The ipnsec module

The module performs several functions:

- contains the actual PF_IPSEC firewalling code
- implements the IPSec "routing" decisions - these are
  policy routes which map packets to target/SPI pair
- performs the actual IPSec transforms (AH, ESP)
- provides user/kernel API via a netlink driver
- provides some basic information via /proc/net/ipsec-route
  and /proc/net/ipsec-spi
- installs an IP protocol handler for type 50 and 51 packets
  (this performs authentication and decryption)

The module attaches itself to all devices which are enabled
for IP except the loopback device. Once removed, the module
returns back the original MTU of all the interfaces.

3. The userland utilities

The userland utilities set various options via the user/kernel
API provided by /dev/ipsec netlink driver.

The utilities are:

- ipsecadm to creeate, change and delete manually keyed SAs
- rt to setup IPSec policy routes and to map packets to existing SAs
- rtdelete to delete existing IPSec routing entries
- photurisd for Photuris based dynamic key management
- startkey to start a new Photuris key exchange

These utilities use /dev/ipsec interface and have different
headers, but otherwise they are identical with those in the current
OpenBSD release (the exception is rtdelete, which requires
further arguments - as in rt - to specify the exact route to be deleted).

4. The documentation

Well, there is not much yet. The quality of this code assumes
that you are an experienced kernel hacker, you do not mind
eventual system crashes and that you know hell a lot about
IPSec. If you do not qualify, stay tuned, but do not blame me
(you can ask for help if you are stuck).

