12

I know both are IPSEC stacks in Linux kernel and that KLIPS is older and Netkey is newer but other than that I find no other documentation of them. I want to know the real technical differences between them. Is there any one here who can tell me the difference or share some documentation source?

Any help would be appreciated.

awatan
  • 1,182
  • 15
  • 33

2 Answers2

7

From the article linked by shdobxr, the most relevant part regarding the difference between KLIPS and Netkey seems to be the following:

When you apply firewall (iptables) rules, KLIPS is the easier case, because with KLIPS, you can identify IPsec traffic, as this traffic goes through ipsecX interfaces. You apply iptables rules to these interfaces in the same way you apply rules to other network interfaces (such as eth0).

When using NETKEY, applying firewall (iptables) rules is much more complex, as the traffic does not flow through ipsecX interfaces; one solution can be marking the packets in the Linux kernel with iptables (with a setmark iptables rule). This mark is a member of the kernel socket buffer structure (struct sk_buff, from the Linux kernel networking code); decryption of the packet does not modify that mark.

Writing in 2014, all linux distros should now come with a kernel that support both KLIPS and Netkey.

John Smith Optional
  • 22,259
  • 12
  • 43
  • 61
  • Agreed, my search in helping the OP was for brevity sake. @Charles Duffy makes a logical statement about linkrot. Future comments will take into consideration his comment. Cheers. – shdobxr Apr 05 '17 at 16:02
6

http://www.linuxjournal.com/article/9916

This is by far the best break down of a VPN setup with either. You should be able to deduce what you need for this article.

Good luck!

shdobxr
  • 111
  • 1
  • 10
  • Two IPsec kernel stacks are currently available: KLIPS and NETKEY. The Linux kernel NETKEY code is a rewrite from scratch of the KAME IPsec code. The KAME Project was a group effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the BSD UNIX computer operating system. KLIPS is not a part of the Linux kernel. When using KLIPS, you must apply a patch to the kernel to support NAT-T. – shdobxr Jan 29 '14 at 16:17
  • 1
    While this is very high-rated, generally link-only answers are not considered good form in StackOverflow. That is to say: An answer should still have enough information to add value and stand on its own even if any included links die. – Charles Duffy Mar 28 '17 at 21:01
  • Will take this into consideration in the future. Thanks for the heads up @CharlesDuffy – shdobxr Feb 11 '19 at 19:39