From owner-freebsd-stable@freebsd.org Tue Jan 10 19:49:46 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8313BCAA92D; Tue, 10 Jan 2017 19:49:46 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) by mx1.freebsd.org (Postfix) with ESMTP id 80B631334; Tue, 10 Jan 2017 19:49:45 +0000 (UTC) (envelope-from ae@FreeBSD.org) Subject: Re: [RFC/RFT] projects/ipsec To: freebsd-current@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-stable@freebsd.org References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> From: "Andrey V. Elsukov" Message-ID: <3caafac9-d7ff-89bb-6fca-8968191ebb0a@FreeBSD.org> Date: Tue, 10 Jan 2017 22:48:59 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 19:49:46 -0000 Hi All, I ported the changes from projects/ipsec to stable/11 branch. So, if it is more suitable for testing, please, welcome. You can checkout the sources from github: https://github.com/bu7cher/freebsd/tree/stable/11 Also I made the standalone patch: https://people.freebsd.org/~ae/ipsec.diff Unfortunately, I did only compile test for stable branch. > I am pleased to announce that projects/ipsec, that I started several > months ago is ready for testing and review. > The main goals were: > * rework locking to make IPsec code more friendly for concurrent > processing; > * make lookup in SADB/SPDB faster; > * revise PFKEY implementation, remove stale code, make it closer > to RFC; > * implement IPsec VTI (virtual tunneling interface); > * make IPsec code loadable as kernel module. > > Currently all, except the last one is mostly done. So, I decided ask for > a help to test the what already done, while I will work on the last task. > > How to try? There are no patches, you need to checkout the full > projects/ipsec source tree, and build the kernel and the base system. > There are very few changes in the base system, mostly the kernel > changes. Thus for testing that old configuration is still work, it is > enough to build only the kernel. > > The approximate list of changes that may be visible to users: > * SA bundles now can have only 4 items in the chain. I think it is > enough, I can't imagine configurations when needed more. Also now SA > bundles supported for IPv6 too. > * due to changes in SPDB/SADB, systems where large number of SPs and SAs > are in use should get significant performance benefits. > * the memory consumption should slightly increase. There are several > hash tables and SP cache appeared. > * INPCB SP cache should noticeable increase network performance of > application when security policies are presence. > https://lists.freebsd.org/pipermail/freebsd-net/2015-April/042121.html > * use transport mode IPsec for forwarded IPv4 packets now unsupported. > This matches the IPv6 behavior, and since we can handle the replies, I > think it is useless. > * Added net.inet.ipsec.check_policy_history sysctl variable. When it is > set, each inbound packet that was handled by IPsec will be checked > according to matching security policy. If not all IPsec transforms were > applied, the check will fail, and packet will be dropped. > * Many PF_KEY messages handlers was updated, probably some IKEd now may > fail due to stricter checks. > * SPI now unique for each SA. This also can break something. > * Added if_ipsec interface. For more info look at > https://svnweb.freebsd.org/base?view=revision&revision=309115 > https://reviews.freebsd.org/P112 > * TCP_SIGNATURE code was reworked and now it behaves closer to RFC > https://svnweb.freebsd.org/base?view=revision&revision=309610 > * NAT-T support was reworked. > https://svnweb.freebsd.org/base?view=revision&revision=309808 > Also I made the patch to racoon that adds better support of NAT-T, > you can use this port to build patched racoon: > https://people.freebsd.org/~ae/ipsec-tools.tgz > > What results is interesting to me? > If you have some nontrivial configuration, please test. > If you have some configuration, that did't work, please test this branch. > If you have performance problems, please test. But don't forget that > this is head/ branch, you need to disable all debugging first. > If you just want to test, pay attention to the output of > `vmstat -m | egrep "sec|sah|pol|crypt"`. > If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this > support was significantly changed. IPsec as kernel modules was reported here: https://lists.freebsd.org/pipermail/freebsd-net/2016-December/046762.html Some additional testing also needed with this... -- WBR, Andrey V. Elsukov