Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <> Wed, 07 June 2017 20:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0AFA6129461 for <>; Wed, 7 Jun 2017 13:05:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cySaY88LGEpA for <>; Wed, 7 Jun 2017 13:05:11 -0700 (PDT)
Received: from ( [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 180D9128CDC for <>; Wed, 7 Jun 2017 13:05:10 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (8.14.7/8.14.7) with ESMTP id v57JoKPa064648; Wed, 7 Jun 2017 21:50:20 +0200 (CEST) (envelope-from
Message-Id: <>
From: Francis Dupont <>
To: Ted Lemon <>
cc: Tomek Mrugalski <>,
In-reply-to: Your message of Wed, 07 Jun 2017 15:26:30 -0400. <>
Date: Wed, 07 Jun 2017 21:50:20 +0200
Archived-At: <>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jun 2017 20:05:13 -0000

 In your previous mail you wrote:

>  Suppose I want to code up a DHCP client that uses IPsec on the Mac.   =
>  What API do I use?   Since encryption is now being done in the network =
>  stack, I don't have the option of not using an API.   AFAIK, no such API =
>  exists.   I'm choosing the Mac specifically because I haven't been able =
>  to find documentation for one there=E2=80=94I know I can do it on Linux.

=> PF_KEY (/usr/include/net/pfkeyv2.h). You are making some friends
(and I am afraid some are in this list) not fully happy (:-)...


PS: the real issue is more how to configure IKEv2 on macOS. As IPsec
is in the kernel applications have no API to use to get IPsec protection
for their traffic but of course this (insert color here) magic does not
come from nowhere, and again only common VPN senarios are managed
by system tools. This does not mean it is impossible to do what one
wants but it is likely not easy so to summary the color could become dark.