Diego has given the last part of beet patch (beet interfamily support) to the usagi developers (Kazunori Miyazawa and Yoshifugi Hideaki). They are going to finalize it and submit it soon to the standard kernel.
I asked also Herbert Xu about adopting our patch that blocks applications during key exchange, because otherwise the applications gets an error from the kernel. However, the patch was not necessary. Dave Miller supplied a patch for this to the latest linux kernel. The patch returns a OK (0) the application, discards data packets during key exchange and let's the transport layer or application to deal with retransmissions. It is not the optimal solution but works in most cases. One linux developer was actually going to implement ARP-like queuing of IPsec packets that would buffer the ESP/AH packets until key exchange is completed, but the idea never came concrete in terms of code.
I also noticed that the latest version of iproute2 tool already includes support for BEET. The next thing to do is to update the kernel images on our webpage!
-- Miika Komu http://www.iki.fi/miika/
