From owner-freebsd-security Tue Jul 11 1:53:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from pr.infosec.ru (pr.infosec.ru [194.135.141.98]) by hub.freebsd.org (Postfix) with ESMTP id 6E22737B742 for ; Tue, 11 Jul 2000 01:53:49 -0700 (PDT) (envelope-from blaze@infosec.ru) Received: from blaze (WS_BLAZE [200.0.0.51]) by pr.infosec.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3WLXZ1JT; Tue, 11 Jul 2000 12:53:59 +0400 Date: Tue, 11 Jul 2000 12:53:23 +0400 (MSD) From: Andrey Sverdlichenko X-Sender: blaze@blaze To: freebsd-security@freebsd.org Subject: Re: Hardware crypto (Re: KAME stable 20000704) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Jul 2000, Jun-ichiro itojun Hagino wrote: > In case anyone got confused: please note that "IPsec support for > crypto card" and "crypto card support as user-mode device file" > are totally different thing. Former one needs MAJOR work in > network IP layer design (BSD IP layer runs under software interrupt, > killing possibility for offloading CPU). OpenBSD did a truely > super job on this. Hmmm... i don't know about KAME/IPSEC, but in our cryptorouter i made it in easy way: 1) in software interrupt context packet goes to "crypto task queue" 2) kernel process gets packet from this queue and passes it to encryption/decryption functions (currently software, but i see nothing special in hardware support) 3) after processing packet injected back to ip_input()/ip_output(). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message