Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Nov 2017 16:57:44 +0100
From:      "Peter G." <freebsd@disroot.org>
To:        freebsd-net@freebsd.org
Subject:   Re: Static IPsec (via setkey) and -A aes-xcbc-mac, how to?
Message-ID:  <cd642471-941c-18bd-b750-3c9db4e30cc7@disroot.org>
In-Reply-To: <faa08146-39f4-5ece-ce65-792113898ffc@disroot.org>
References:  <faa08146-39f4-5ece-ce65-792113898ffc@disroot.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 27/11/2017 06:15, Peter G. wrote:
> Hi, can somebody please show me the correct syntax of setting static SA
> with aes-xcbc-mac authentication? I checked rfc3566, my "base"
> encryption algo is aes-128, aes-xcbc-mac is supposed to work with a
> 128-bit (16 characters) long key. I don't seem to be able to set it up,
> though.
> 
> Example (aes-cbc 128bit + supposedly aes-xcbc-mac):
> 
> add 10.10.1.1 10.10.2.2 esp 400 -m transport -u 400 -E rijndael-cbc
> "abcdefghijklmnop" -A aes-xcbc-mac "1234567890123456";
> 
> ends up in an error:
> 
> line 5: Not supported at [1234567890123456]
> parse failed, line 5.
> 
> The same syntax and appropriate key length work with anything else, e.g.
> hmac-sha2-256 with 32 character long key works just fine.
> 

Oh, I am on 11.1.

I've found two docs which clearly make this possible:

Firstly, a blog entry in Japanese:
https://moimoitei.blogspot.com/2009/10/measure-ipsec-throughput.html

Secondly, some company's paper on some of their tech (not really
important), but usage of -E aes-ctr with -A aes-xcbc-mac is listed as an
option, page 20:
http://www.lobaro.com/download/6lowpan/ZWIR45xx_AN_Security_Rev_1_30.pdf

I've also reviewed evolution of aes support for cryptodev, e.g. starting
here: https://reviews.freebsd.org/D2566 and all the source files related
to either setkey (for example sbin/setkey/token.l) or opencrypto in the
sources list or at least note aes-xcbc-mac availability.

Does anybody know how to get this working? Or does this mean there's no
actual kernel support for aes-xcbc-mac?

Thanks!

PG

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cd642471-941c-18bd-b750-3c9db4e30cc7>