Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Jan 2003 21:39:45 -0800
From:      "Sam Leffler" <sam@errno.com>
To:        <freebsd-stable@freebsd.org>
Subject:   HEADS UP: fast ipsec committed
Message-ID:  <174301c2c36b$00f68c70$52557f42@errno.com>

next in thread | raw e-mail | index | archive | help
I just commited my "Fast IPsec" support.  This is an implementation of the
IPsec protocols that makes use of the kernel crypto framework.  What this
means is that if you have a hardware crypto card it will automatically be
used by the protocols.  If you don't have crypto hardware you will use the
host cpu as before.

Note that this code has been in use for quite a while but should be
considered "experimental".  There is no IPv6 support (there is code but it's
more a placeholder than anything else) and the IPcomp support is presently
busted (ENOTIME).

You cannot configure both this code and the KAME IPsec code together; you
will get a compile error.  For the moment you will also get a compile error
if you try to enable IPv6 together with this code.  I plan to remove that
soon.

If you want to configure the code use something like this in your kernel
config file:

options    FAST_IPSEC
pseudo-device crypto
device    ubsec            # for Broadcom-based crypto cards
device    hifn                # for Hifn-based crypto cards

There should be minimal user-visible differences from the KAME IPsec code.
In particular you should be able to use racoon, setkey, isakmpd, or whatever
as with KAME.  The output of netstat -s is not meaningful for ah, esp,
ipcomp, and ipip--statistics are done rather differently and I haven't
committed any of this code yet.  If you want to monitor the statistcs for
now you'll need to use gdb -k or use sysctl to fetch the statistics blocks
(there's one for each of the ah, esp, ipcomp, and ipip protocols).  You'll
also note some differences in the MIBs; if you're curious look at the code
in the sys/netipsec directory.

I've gotten numerous questions about where to get crypto hardware.  For
low-end hifn-based crypto hardware checkout www.soekris.com.  The vpn1201
cards use hifn 7951 parts that I see peak out at 80 Mb/s for 3DES+SHA1/MD5.
Higher performance hifn-based cards are available from GTGI (www.gtgi.com);
my tests show them peak at ~150 Mb/s.  Otherwise there are Broadcom-based
cards.  Those based on the 5822 part have a peak rate of 400 Mb/s.  At the
moment however I'm not sure where they can be had unless you're an OEM.  I'm
working on finding a source and will post here when there is something to
say.

Adding new/different crypto hardware is just a matter of creating a driver.
If the hardware is already supported by OpenBSD then it's just a matter of
porting their driver which isn't a big deal.  If you know of good crypto
hardware that you want supported; tell the vendor to contact me and I'll see
what I can do.

For application acceleration you can grab a copy of OpenSSL 0.9.7 which was
recently released.  It should build out of the box to support /dev/crypto.
Then any application that uses openssl will automatically be h/w
accelerated.  (This has nothing to do with fast ipsec but I mention it since
I'm sure I'll get asked.)

As always this commit should be a noop if you don't use the code.  Please
contact me if you see any ill effects.

    Sam


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?174301c2c36b$00f68c70$52557f42>