From owner-freebsd-net@freebsd.org Fri Aug 10 20:44:06 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C9C21074C9A for ; Fri, 10 Aug 2018 20:44:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost2.sentex.ca", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CDBB77A7C7 for ; Fri, 10 Aug 2018 20:44:05 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5:0:0:0:11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w7AKi4oN040614 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 10 Aug 2018 16:44:05 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.net [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w7AKi2T7020372; Fri, 10 Aug 2018 16:44:02 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? To: "David P. Discher" , "Andrey V. Elsukov" , John-Mark Gurney Cc: freebsd-net@freebsd.org References: <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> From: Mike Tancsa Openpgp: preference=signencrypt Autocrypt: addr=mike@sentex.net; prefer-encrypt=mutual; keydata= xsBNBEzcA24BCACpwI/iqOrs0GfQSfhA1v6Z8AcXVeGsRyKEKUpxoOYxXWc2z3vndbYlIP6E YJeifzKhS/9E+VjhhICaepLHfw865TDTUPr5D0Ed+edSsKjlnDtb6hfNJC00P7eoiuvi85TW F/gAxRY269A5d856bYrzLbkWp2lKUR3Bg6NnORtflGzx9ZWAltZbjYjjRqegPv0EQNYcHqWo eRpXilEo1ahT6nmOU8V7yEvT2j4wlLcQ6qg7w+N/vcBvyd/weiwHU+vTQ9mT61x5/wUrQhdw 2gJHeQXeDGMJV49RT2EEz+QVxaf477eyWsdQzPVjAKRMT3BVdK8WvpYAEfBAbXmkboOxABEB AAHNHG1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5jYT7CwHgEEwECACIFAkzcA24CGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJXHwM2kc8rX+sMH/2V6pTBKsQ5mpWWLgs6wVP2k BC+6r/YKNXv9Rw/PrC6+9hTbgA+sSjJ+8gxsCbJsOQXZrxF0x3l9oYdYfuKcwdwXFX1/FS8p HfBeDkmlH+dI709xT9wgrR4dS5aMmKp0scPrXPIAKiYVOHjOlNItcLYTEEWEFBepheEVsgmk GrNbcrHwOx/u4igUQ8vcpyXPyUki+BsftPw8ZQvBU887igh0OxaCR8AurJppQ5UQd63r81cX E1ZjoFoWCaGK/SjPb/OhpYpu5swoZIhOxQbn7OtakYPsDd5t2A5KhvjI8BMTnd5Go+2xsCmr jlIEq8Bi29gCcfQUvNiClevi13ifmnnOwE0ETNwDbgEIALWGNJHRAhpd0A4vtd3G0oRqMBcM FGThQr3qORmEBTPPEomTdBaHcn+Xl+3YUvTBD/67/mutWBwgp2R5gQOSqcM7axvgMSHbKqBL 9sd1LsLw0UT2O5AYxv3EwzhG84pwRg3XcUqvWA4lA8tIj/1q4Jzi5qOkg1zxq4W9qr9oiYK5 bBR638JUvr3eHMaz/Nz+sDVFgwHmXZj3M6aE5Ce9reCGbvrae7H5D5PPvtT3r22X8SqfVAiO TFKedCf/6jbSOedPN931FJQYopj9P6b3m0nI3ZiCDVSqeyOAIBLzm+RBUIU3brzoxDhYR8pz CJc2sK8l6YjqivPakrD86bFDff8AEQEAAcLAXwQYAQIACQUCTNwDbgIbDAAKCRCVx8DNpHPK 1+iQB/99aqNtez9ZTBWELj269La8ntuRx6gCpzfPXfn6SDIfTItDxTh1hrdRVP5QNGGF5wus N4EMwXouskva1hbFX3Pv72csYSxxEJXjW16oV8WK4KjKXoskLg2RyRP4uXqL7Mp2ezNtVY5F 9nu3fj4ydpHCSaqKy5xd70A8D50PfZsFgkrsa5gdQhPiGGEdxhq/XSeAAnZ4uVLJKarH+mj5 MEhgZPEBWkGrbDZpezl9qbFcUem/uT9x8FYT/JIztMVh9qDcdP5tzANW5J7nvgXjska+VFGY ryZK4SPDczh74mn6GI/+RBi7OUzXXPgpPBrhS5FByjwCqjjsSpTjTds+NGIY Organization: Sentex Communications Message-ID: Date: Fri, 10 Aug 2018 16:44:03 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.83 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2018 20:44:06 -0000 On 8/9/2018 4:11 PM, David P. Discher wrote: > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sudo setkey -D > Password: > 10.245.0.201 10.245.0.202 > esp mode=tunnel spi=60080461(0x0394c14d) reqid=12(0x0000000c) > E: rijndael-cbc 79e053a5 221c6d48 31e4c98a 3ae8c8ed ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ ^^^^^^^^ BTW, if you use a static psk, does not the above line essentially give someone with access to the ESP traffic a way to decode your traffic ? ---Mike > A: hmac-sha2-256 9f1a4188 7849ad94 41cfd974 a5e0570a cc7c54a5 c16f5ebc 6bb39fbb 212abce0 > seq=0x00000011 replay=4 flags=0x00000000 state=mature > created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 > diff: 1018(s) hard: 86400(s) soft: 69120(s) > last: Aug 9 19:21:16 2018 hard: 0(s) soft: 0(s) > current: 2652(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 17 hard: 0 soft: 0 > sadb_seq=1 pid=2441 refcnt=1 > 10.245.0.202 10.245.0.201 > esp mode=tunnel spi=170852236(0x0a2eff8c) reqid=12(0x0000000c) > E: rijndael-cbc 221239cf e0ddedc5 88f1f711 5e744723 > A: hmac-sha2-256 bf214e0e 73b27e42 1090a067 eaed9e2a d36d3ae7 529a40a1 bf5ea2c9 0e3f5f27 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Aug 9 19:21:15 2018 current: Aug 9 19:38:13 2018 > diff: 1018(s) hard: 86400(s) soft: 69120(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=2441 refcnt=1 > > > > [ pts/0 sjc2 util201:~ ] > [ dpd ] > sudo setkey -D -P > 172.30.1.12/30[any] 172.30.1.12/30[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=22 seq=11 pid=2443 scope=global > refcnt=1 > 172.30.1.4/30[any] 172.30.1.4/30[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=24 seq=10 pid=2443 scope=global > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=5 seq=9 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > ::/0[any] ::/0[any] any > in ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12 > spid=7 seq=8 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=13 seq=7 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > ::/0[any] ::/0[any] any > in ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4 > spid=15 seq=6 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > 172.30.1.12/30[any] 172.30.1.12/30[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=21 seq=5 pid=2443 scope=global > refcnt=1 > 172.30.1.4/30[any] 172.30.1.4/30[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=23 seq=4 pid=2443 scope=global > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=6 seq=3 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > ::/0[any] ::/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12 > spid=8 seq=2 pid=2443 scope=ifnet ifname=ipsec12 > refcnt=1 > 0.0.0.0/0[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=14 seq=1 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > ::/0[any] ::/0[any] any > out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4 > spid=16 seq=0 pid=2443 scope=ifnet ifname=ipsec4 > refcnt=1 > > > -- > David P. Discher > https://davidpdischer.com/ > 408.368.3725 • dpd@dpdtech.com > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 x203 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada