From owner-freebsd-hackers@FreeBSD.ORG Mon May 14 09:03:11 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6FD67106566C for ; Mon, 14 May 2012 09:03:11 +0000 (UTC) (envelope-from dgeorgester@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2EC248FC0C for ; Mon, 14 May 2012 09:03:11 +0000 (UTC) Received: by yhgm50 with SMTP id m50so5114879yhg.13 for ; Mon, 14 May 2012 02:03:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=gznYpdBUyT7HqOgLkIhTto7rT5Vx6SWHIiDRVmt9kN0=; b=iOlREFzPCILn/3PZq5hHvxvdmaLl7gwuX4gJ1go52KGfVRjPiCg3kFKJWe2mgq31en CJIcf0mUbeBo1ucYdNFQL5TmFZ4pT/8/q2xJ91el1RoMKo0T6s1Q9aKl8j5XlXGT81Op k5sE0zGfsP6Lp+5y7qKrHNCqlmgjlhG6rBe2p85cABaIAJKp9f+F2cSC5junxsZmDOzu pq+K05FzJzmwGSB9NklwHHWzIiLkvHb6kY+x8LwCRqyjg4fALmX5qFoyvgEkVsK1PtpJ RbXyca5kV1k4cVgPkI8YyJfWz1d0aC0M/UjFtsHYd7PwL9PElTeVxl3pK1ytB+bChFKm HdkA== MIME-Version: 1.0 Received: by 10.236.175.105 with SMTP id y69mr7126368yhl.83.1336986190618; Mon, 14 May 2012 02:03:10 -0700 (PDT) Received: by 10.146.165.3 with HTTP; Mon, 14 May 2012 02:03:10 -0700 (PDT) Date: Mon, 14 May 2012 11:03:10 +0200 Message-ID: From: David George To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Mon, 14 May 2012 11:23:56 +0000 Subject: FreeBSD IPSec adventures X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 May 2012 09:03:11 -0000 Hello All. I have been working on a project where the goal has been to convert the FreeBSD IPSec stack to a userspace application. The project is pretty far along, so I thought I would dump my observations/experiences with regards the IPSec stack here. (Hopefully this is the correct forum) 1) SADB_X_SPDUPDATE (PFKEY call to update an existing Security Policy) I found that FreeBSD creates a new policy with a new unique Security Policy ID when performing an SP update. There appears to be no definitive RFC for this behaviour, I found this text in an IETF memo titled "MOBIKE Extensions for PF_KEY": " SADB_X_SPDUPDATE: If an existing SPD entry should be updated, the IKEv2 implementation sends a SADB_X_SPDUPDATE message to the kernel. This massage has the following format: The kernel responds with a message of the form: The meaning of the payloads is the same as for the SADB_X_SPDADD message. All the content of a SPD entry can be changed except the sadb_x_policy_id field and the source/destination addresses, which are the inner addresses in tunnel mode. However, the tunnel endpoint addresses, which only exist in tunnel mode, can be changed using a SADB_X_SPDUPDATE message. " I think that the approach of not modifying the policy ID is the more sensible; and as it turns out, was something that my work required. Does anyone know why FreeBSD takes this approach? 2) ESP + Authentication Crypto Performance I ran into some performance issues when using ESP with any authentication. The problem is that only one crypto device can be used for the ESP transform. This makes it impossible to use AESNI with ESP+auth with FreeBSD as it stands, which amounts to a major performance penalty. This looked tricky to resolve properly, as it seems to be an infrastructural problem. 3) SHA1 Performance I also had some problems with the opencrypto software SHA1 performance. By substituting the opencrypto sha1 call with an openssl library call the time to do a 1000B hash reduced to under half. Has anyone else noted SHA1 performance problems? Would be great to have some comments from FreeBSD gurus. Kind regards, David George