Date: Fri, 5 Oct 2007 18:33:38 +0400 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Bubble Reading <bubblereading@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: FastIPSec and OCF Message-ID: <20071005143338.GT971@void.codelabs.ru> In-Reply-To: <a65132710710050610r21821b1fx4aaf8df3625ce074@mail.gmail.com> References: <a65132710710050251k46c049a4u73f7364be544c8f7@mail.gmail.com> <20071005101720.GI971@void.codelabs.ru> <a65132710710050426i4665f802re8542e31c8d90800@mail.gmail.com> <20071005114605.GP971@void.codelabs.ru> <a65132710710050610r21821b1fx4aaf8df3625ce074@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Fri, Oct 05, 2007 at 02:10:06PM +0100, Bubble Reading wrote: > Thanks much for your help. You're welcome ;)) > I am using FreeBSD v6.2. > > My aim is to use a hardware crypto card. Yes, but for what purpose? To accelerate IPSec or to do some cryptographic operations? This is somewhat ritorical question, because both issues are a bit lightened below ;)) > And OCF provides the generic kernel > level interface to hardware cryptology. Yes, and its accessible through the /dev/crypto, see crypto(4). Possibly you will want to read the original OCF design paper: http://www.thought.net/jason/ocfpaper/node8.html#SECTION00042000000000000000 > As I understood from you that Fast-IPSec is a kernel level module which I > can use to create a VPN tunnel. Is there a userland application which uses > Fast-IPSec? Fast IPSec is the networking layer. You can create the gifN device, configure it and it will encapsulate all traffic that is passing through it. Perhaps, the traffic will be encrypted if you will pass the right parameters to the setkey utility. If you have some hardware accelerator, then if will be used automatically for operations it can accelerate: devices are registered to the crypto framework as the providers of certain operations. So, crypto hardware will be used automagically. The interesting question is what will be done if more than one cryptographic accelerator provides support for a given routine. Seems like that there is some sort of load-balancing is done: the driver that has the smaller number of the pending crypto operations is selected. OK, I had somewhat lost the topic, so I am returning to the point. As for the userland application, there is some code in the OpenSSL, see /usr/src/crypto/openssl/crypto/evp/openbsd_hw.c. I suspect that this is what the OCF design papers talks as of OpenSSL enchancement. Another place in the OpenSSL code that uses /dev/crypto is /usr/src/crypto/openssl/crypto/engine/eng_cryptodev.c. There is another place, http://www.logix.cz/michal/devel/cryptodev/, that has some examples on how to use OCF. It talks about Linux, but it was promised that the OCF API and semantics are preserved. You can also check out the contents of the /usr/src/tools/tools/crypto/, especially cryptotest.c. Samuel Leffler has the Usenix paper, http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf that talks about the optimizations of OCF that were done in FreeBSD. cryptotest.c was written by him to do the profiling. -- Eygene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071005143338.GT971>