From owner-freebsd-stable Thu Jan 23 21:39:49 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7308437B401 for ; Thu, 23 Jan 2003 21:39:47 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3FAC43F18 for ; Thu, 23 Jan 2003 21:39:46 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.5/8.12.1) with ESMTP id h0O5djnN088215 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Thu, 23 Jan 2003 21:39:46 -0800 (PST)?g (envelope-from sam@errno.com)œ X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange Message-ID: <174301c2c36b$00f68c70$52557f42@errno.com> From: "Sam Leffler" To: Subject: HEADS UP: fast ipsec committed Date: Thu, 23 Jan 2003 21:39:45 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I just commited my "Fast IPsec" support. This is an implementation of the IPsec protocols that makes use of the kernel crypto framework. What this means is that if you have a hardware crypto card it will automatically be used by the protocols. If you don't have crypto hardware you will use the host cpu as before. Note that this code has been in use for quite a while but should be considered "experimental". There is no IPv6 support (there is code but it's more a placeholder than anything else) and the IPcomp support is presently busted (ENOTIME). You cannot configure both this code and the KAME IPsec code together; you will get a compile error. For the moment you will also get a compile error if you try to enable IPv6 together with this code. I plan to remove that soon. If you want to configure the code use something like this in your kernel config file: options FAST_IPSEC pseudo-device crypto device ubsec # for Broadcom-based crypto cards device hifn # for Hifn-based crypto cards There should be minimal user-visible differences from the KAME IPsec code. In particular you should be able to use racoon, setkey, isakmpd, or whatever as with KAME. The output of netstat -s is not meaningful for ah, esp, ipcomp, and ipip--statistics are done rather differently and I haven't committed any of this code yet. If you want to monitor the statistcs for now you'll need to use gdb -k or use sysctl to fetch the statistics blocks (there's one for each of the ah, esp, ipcomp, and ipip protocols). You'll also note some differences in the MIBs; if you're curious look at the code in the sys/netipsec directory. I've gotten numerous questions about where to get crypto hardware. For low-end hifn-based crypto hardware checkout www.soekris.com. The vpn1201 cards use hifn 7951 parts that I see peak out at 80 Mb/s for 3DES+SHA1/MD5. Higher performance hifn-based cards are available from GTGI (www.gtgi.com); my tests show them peak at ~150 Mb/s. Otherwise there are Broadcom-based cards. Those based on the 5822 part have a peak rate of 400 Mb/s. At the moment however I'm not sure where they can be had unless you're an OEM. I'm working on finding a source and will post here when there is something to say. Adding new/different crypto hardware is just a matter of creating a driver. If the hardware is already supported by OpenBSD then it's just a matter of porting their driver which isn't a big deal. If you know of good crypto hardware that you want supported; tell the vendor to contact me and I'll see what I can do. For application acceleration you can grab a copy of OpenSSL 0.9.7 which was recently released. It should build out of the box to support /dev/crypto. Then any application that uses openssl will automatically be h/w accelerated. (This has nothing to do with fast ipsec but I mention it since I'm sure I'll get asked.) As always this commit should be a noop if you don't use the code. Please contact me if you see any ill effects. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message