From owner-freebsd-current@freebsd.org Sat Dec 10 23:08:01 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22CF2C715FC; Sat, 10 Dec 2016 23:08:01 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) by mx1.freebsd.org (Postfix) with ESMTP id EF7121AC8; Sat, 10 Dec 2016 23:07:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) To: freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org From: "Andrey V. Elsukov" Subject: [RFC/RFT] projects/ipsec Message-ID: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> Date: Sun, 11 Dec 2016 02:07:30 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2016 23:08:01 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX Content-Type: multipart/mixed; boundary="fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S"; protected-headers="v1" From: "Andrey V. Elsukov" To: freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org Message-ID: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> Subject: [RFC/RFT] projects/ipsec --fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi All, I am pleased to announce that projects/ipsec, that I started several months ago is ready for testing and review. The main goals were: * rework locking to make IPsec code more friendly for concurrent processing; * make lookup in SADB/SPDB faster; * revise PFKEY implementation, remove stale code, make it closer to RFC; * implement IPsec VTI (virtual tunneling interface); * make IPsec code loadable as kernel module. Currently all, except the last one is mostly done. So, I decided ask for a help to test the what already done, while I will work on the last task.= How to try? There are no patches, you need to checkout the full projects/ipsec source tree, and build the kernel and the base system. There are very few changes in the base system, mostly the kernel changes. Thus for testing that old configuration is still work, it is enough to build only the kernel. The approximate list of changes that may be visible to users: * SA bundles now can have only 4 items in the chain. I think it is enough, I can't imagine configurations when needed more. Also now SA bundles supported for IPv6 too. * due to changes in SPDB/SADB, systems where large number of SPs and SAs are in use should get significant performance benefits. * the memory consumption should slightly increase. There are several hash tables and SP cache appeared. * INPCB SP cache should noticeable increase network performance of application when security policies are presence. https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html * use transport mode IPsec for forwarded IPv4 packets now unsupported. This matches the IPv6 behavior, and since we can handle the replies, I think it is useless. * Added net.inet.ipsec.check_policy_history sysctl variable. When it is set, each inbound packet that was handled by IPsec will be checked according to matching security policy. If not all IPsec transforms were applied, the check will fail, and packet will be dropped. * Many PF_KEY messages handlers was updated, probably some IKEd now may fail due to stricter checks. * SPI now unique for each SA. This also can break something. * Added if_ipsec interface. For more info look at https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309115 https://reviews.freebsd.org/P112 * TCP_SIGNATURE code was reworked and now it behaves closer to RFC https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309610 * NAT-T support was reworked. https://svnweb.freebsd.org/base?view=3Drevision&revision=3D309808 Also I made the patch to racoon that adds better support of NAT-T, you can use this port to build patched racoon: https://people.freebsd.org/~ae/ipsec-tools.tgz What results is interesting to me? If you have some nontrivial configuration, please test. If you have some configuration, that did't work, please test this branch.= If you have performance problems, please test. But don't forget that this is head/ branch, you need to disable all debugging first. If you just want to test, pay attention to the output of `vmstat -m | egrep "sec|sah|pol|crypt"`. If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this support was significantly changed. PS. I just updated the branch to last head/, and it was not tested, sorry= :) --=20 WBR, Andrey V. Elsukov --fjA6JBVMN49EwIArQdlwEixmfTFo2QW6S-- --xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEsBAEBCAAWBQJYTIqyDxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMihepkPB/94 m2uBSfnT/Yypv+PDnkquTTABifE9MUMXBpquYuHZJtaF3IquIFx51Sr5aqH09y+w ofMosuIDUFJ6907rQJF9Hn3cXniLknCO8cmnFHdv4AuyRaZfZhPr+UocwlfU4oaI 3m22jMba3rT44xx5y0a8KxW7GcUGwr3uhOfBeg1ylYEpyWib5wP5mV0DV2Gw6KmS NfGdE/bvYxFBkoDfgaJRHz9jM6V06kK9SdOIUISYR8LXXuyPjnQ6iietdmN83x1L 6DyyOTz4Yl+433l0MbUcE9KSIfnYHpIpIYufeV1XcphTuB+qyhSP1M6ZfPS2BTuz GoAQRxmB5GhRCSwRWQCO =1NJs -----END PGP SIGNATURE----- --xPIWdG2PqMS3owTuVatnqNcKkmtHJUivX--