Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Dec 2016 02:07:30 +0300
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org
Subject:   [RFC/RFT] projects/ipsec
Message-ID:  <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org>

next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX
Content-Type: multipart/mixed; boundary="fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S";
 protected-headers="v1"
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org
Message-ID: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org>
Subject: [RFC/RFT] projects/ipsec

--fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
    processing;
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
    to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.=


How to try? There are no patches, you need to checkout the full
projects/ipsec source tree, and build the kernel and the base system.
There are very few changes in the base system, mostly the kernel
changes. Thus for testing that old configuration is still work, it is
enough to build only the kernel.

The approximate list of changes that may be visible to users:
* SA bundles now can have only 4 items in the chain. I think it is
enough, I can't imagine configurations when needed more. Also now SA
bundles supported for IPv6 too.
* due to changes in SPDB/SADB, systems where large number of SPs and SAs
are in use should get significant performance benefits.
* the memory consumption should slightly increase. There are several
hash tables and SP cache appeared.
* INPCB SP cache should noticeable increase network performance of
application when security policies are presence.
  https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html
* use transport mode IPsec for forwarded IPv4 packets now unsupported.
This matches the IPv6 behavior, and since we can handle the replies, I
think it is useless.
* Added net.inet.ipsec.check_policy_history sysctl variable. When it is
set, each inbound packet that was handled by IPsec will be checked
according to matching security policy. If not all IPsec transforms were
applied, the check will fail, and packet will be dropped.
* Many PF_KEY messages handlers was updated, probably some IKEd now may
fail due to stricter checks.
* SPI now unique for each SA. This also can break something.
* Added if_ipsec interface. For more info look at
  https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309115
  https://reviews.freebsd.org/P112
* TCP_SIGNATURE code was reworked and now it behaves closer to RFC
  https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309610
* NAT-T support was reworked.
  https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309808
Also I made the patch to racoon that adds better support of NAT-T,
you can use this port to build patched racoon:
  https://people.freebsd.org/~ae/ipsec-tools.tgz

What results is interesting to me?
If you have some nontrivial configuration, please test.
If you have some configuration, that did't work, please test this branch.=

If you have performance problems, please test. But don't forget that
this is head/ branch, you need to disable all debugging first.
If you just want to test, pay attention to the output of
`vmstat -m | egrep "sec|sah|pol|crypt"`.
If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
support was significantly changed.

PS. I just updated the branch to last head/, and it was not tested, sorry=
 :)

--=20
WBR, Andrey V. Elsukov


--fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S--

--xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEsBAEBCAAWBQJYTIqyDxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMihepkPB/94
m2uBSfnT/Yypv+PDnkquTTABifE9MUMXBpquYuHZJtaF3IquIFx51Sr5aqH09y+w
ofMosuIDUFJ6907rQJF9Hn3cXniLknCO8cmnFHdv4AuyRaZfZhPr+UocwlfU4oaI
3m22jMba3rT44xx5y0a8KxW7GcUGwr3uhOfBeg1ylYEpyWib5wP5mV0DV2Gw6KmS
NfGdE/bvYxFBkoDfgaJRHz9jM6V06kK9SdOIUISYR8LXXuyPjnQ6iietdmN83x1L
6DyyOTz4Yl+433l0MbUcE9KSIfnYHpIpIYufeV1XcphTuB+qyhSP1M6ZfPS2BTuz
GoAQRxmB5GhRCSwRWQCO
=1NJs
-----END PGP SIGNATURE-----

--xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2bd32791-944f-2417-41e9-e0fe1c705502>