From owner-freebsd-net@freebsd.org Mon Nov 27 15:58:05 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CDCAE55D59 for ; Mon, 27 Nov 2017 15:58:05 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from disroot.org (bs-one.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C6B7C78CD1 for ; Mon, 27 Nov 2017 15:58:04 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8C45029C9F for ; Mon, 27 Nov 2017 16:57:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1511798276; bh=UkDhgXrlRQeIqduZIBAs5GpGkIBi86TzXITFz8erH9s=; h=Subject:From:To:References:Date:In-Reply-To; b=wUl4Q5jbpj84Ng3mmeb3CgGhJsGsPy7Y9ZQywhUJ78h5PTXBvzRKWXPkz/KPf/7LR iPMwqarh6vldVWSI+k4y/cokVEEyDqvgvEaWsN4NLoHkKfouQSlipNuQNsrLGRLW4K 4Q+VRdqC+2NIfwUHdmW035eWdmUIe7nDttQO3N0o= X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from disroot.org ([127.0.0.1]) by localhost (mail01.disroot.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a7i-EN_ln_DM for ; Mon, 27 Nov 2017 16:57:48 +0100 (CET) Subject: Re: Static IPsec (via setkey) and -A aes-xcbc-mac, how to? DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1511798268; bh=UkDhgXrlRQeIqduZIBAs5GpGkIBi86TzXITFz8erH9s=; h=Subject:From:To:References:Date:In-Reply-To; b=R/tvcZPpFBPOtKzJHz+3Fc+gCWlnhSpuKFDh/WDY7xnd0ZWMfFb1M/cXcCfgMl8yx 3BJN4Vn3vpRZT2eQUwp4DQ0HgPVaYcv5evIXJ+aHYSRrxcRzPSvIsXU5+8uIuqE0Em vyC75AS8qRpApckzTI6OhPoQ0VgUdLge0aDPo6Xc= From: "Peter G." To: freebsd-net@freebsd.org References: Message-ID: Date: Mon, 27 Nov 2017 16:57:44 +0100 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2017 15:58:05 -0000 On 27/11/2017 06:15, Peter G. wrote: > Hi, can somebody please show me the correct syntax of setting static SA > with aes-xcbc-mac authentication? I checked rfc3566, my "base" > encryption algo is aes-128, aes-xcbc-mac is supposed to work with a > 128-bit (16 characters) long key. I don't seem to be able to set it up, > though. > > Example (aes-cbc 128bit + supposedly aes-xcbc-mac): > > add 10.10.1.1 10.10.2.2 esp 400 -m transport -u 400 -E rijndael-cbc > "abcdefghijklmnop" -A aes-xcbc-mac "1234567890123456"; > > ends up in an error: > > line 5: Not supported at [1234567890123456] > parse failed, line 5. > > The same syntax and appropriate key length work with anything else, e.g. > hmac-sha2-256 with 32 character long key works just fine. > Oh, I am on 11.1. I've found two docs which clearly make this possible: Firstly, a blog entry in Japanese: https://moimoitei.blogspot.com/2009/10/measure-ipsec-throughput.html Secondly, some company's paper on some of their tech (not really important), but usage of -E aes-ctr with -A aes-xcbc-mac is listed as an option, page 20: http://www.lobaro.com/download/6lowpan/ZWIR45xx_AN_Security_Rev_1_30.pdf I've also reviewed evolution of aes support for cryptodev, e.g. starting here: https://reviews.freebsd.org/D2566 and all the source files related to either setkey (for example sbin/setkey/token.l) or opencrypto in the sources list or at least note aes-xcbc-mac availability. Does anybody know how to get this working? Or does this mean there's no actual kernel support for aes-xcbc-mac? Thanks! PG