Date: Sun, 24 Jun 2001 18:10:07 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Soren Kristensen <soren@soekris.com>, hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD Message-ID: <20010624181007.C52432@mail.webmonster.de> In-Reply-To: <xzpn16x7uao.fsf@flood.ping.uio.no>; from des@ofug.org on Sun, Jun 24, 2001 at 05:48:47PM %2B0200 References: <3B33A891.EC712701@soekris.com> <xzpn16x7uao.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--PuGuTyElPB9bOcsM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.06.24 17:48:47 +0000: > Soren Kristensen <soren@soekris.com> writes: > > As I now has prototypes avaliable of low cost PCI and MiniPCI boards, > > moving to production in a couple of weeks, I would like to check up on > > the work, as I would really like to see FreeBSD support. The boards are > > now supported in OpenBSD 2.9. >=20 > OK, so if I understand correctly, the encryption hardware in question > offers a high-speed hardware implementation of the encryption > algorithms used by IPSec, so it's a matter of a) having support code > that interfaces with the hardware, possibly with a device interface to > allow userland apps access to the encryption hardware and b) making > our (well, KAME's) IPSec code use that instead of doing the encryption > in software. Is that it, or did I misunderstand something? i think ipsec crypto abstraction into hardware is one side of the medal, but the other side -- to be polished first -- ist getting openssl onto the iron. for my former employer i had my hands on rainbow crupto hardware. it is a pci card called cryptoswift with a number, indicating the amount of ssl handshakes per second. the company has been renamed to ivea (http://www.ivea.com/). i came across this board since it is used in several "appliance" style boxes such as the intel netsctructure ssl accelerators (drop-in https->http ethernet bridge). they had working support and drivers for 3.x, developed in-house and i started hacking up the code for 4.x, but then i left the company (had to leave the hardware there, of course). as far as i got, my experience with ssl handshake processing in hardware showed me a great improvement, since openssl plugs in the hardware to create random and to create session keys. stream crypto is spoken on the host, but this is done fast and very effieciently. if you offload the handshakes to the iron, most of you sysload goes away, of course. i did not find another vendor in europe that provides a similar chip on a pci card, doing the stuff on the iron on a very high level (the card speaks x.50x ascii armored certificates natively, as far as i could see. it would be interesting if somebody from the u.s. could join in and present a list of available hardware and corresponding vendor. if there is hardware available from a crypto-relaxed country, such as south africa or similar, this would also be _very_ interesting, IMHO. >=20 > Now, if you want FreeBSD support for your hardware, all you have to do > is find a willing developer <whistles innocently>, send him a sample > board (or preferably two, for a full circuit, but one will do) with > complete documentation and any additional resources you are willing > and able to provide, and then wait a bit. Simply asking for someone > to port the OpenBSD driver will not do - OpenBSD and FreeBSD are not > very similar at the kernel level, and as others have stated before in > a different context, driver source does not constitute adequate > documentation. It helps, but it's neither sufficient nor necessary. as i said, there is a 3.x freebsd driver, would this help? i am not into writing drivers ;-) /k --=20 > Sex is one of the nine reasons for reincarnation ... the other eight > are unimportant. --Henry Miller KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --PuGuTyElPB9bOcsM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhDfM0BPTilkv0YRAq8KAKCtBtfnTgl5cleVcAHUe58TPa9v3gCgudOe Dn+Yw0/NEpr2UbNJZEjnjeQ= =jx0g -----END PGP SIGNATURE----- --PuGuTyElPB9bOcsM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010624181007.C52432>