NetBSD-SoC: Fast_ipsec and IPv6
Most of of the code has now been merged in the NetBSD tree. I will continue
to work on the subject but not on this web page. You can check my current
work on the subject on zulzul.free.fr
What is it?
The IPSEC protocol is a set of protocols standardized by the IETF for
secure communications of IP Datagrams.
The first implementation available for NetBSD is the Kame implementation.
This implementation is good but lacks some important features e.g it isn't possible to use crypto accelerated hardware.
The Fast_ipsec implementation is a new implementation of Ipsec, written by
Samuel Leffler and Stone. This stack has been written in order to use
efficiently crypto hardware. This stack has first been written for FreeBSD,
and then ported to NetBSD. The most important caveat of Fast IPsec is the
lack of support for IPv6.
The goal of the project is to add ipv6 support in the Fast_ipsec
stack to get a full and accelerated ipsec stack.
- 2006-05-23: Google publishes accepted/rejected projects. Go!
- 2006-06-26: Google solicits mid-program mentor evaluations of student progress
- 2006-06-30: All mid-program evaluations of student progress due by 17.00 Pacific Standard Time
- 2006-08-21: All student projects due by 08.00 Pacific Standard Time
- 2006-09-05: All mentor and student evaluations due by 08.00 Pacific Standard Time
Mandatory (must-have) components:
- Basicly, a working implementation of fast_ipsec on ipv6
Optional (would-be-nice) components:
Some interesting papers about fast_ipsec and the crypto hardware framework.
Some useful RFC about IPsec
- Samuel J. Leffler Fast IPSec: A High-Performance IPsec
Implementation BSDCon '03 Paper
( link )
- Samuel J. Leffler Cryptographic Device Support for FreeBSD
BSDCon '03 Paper
( link )
- Security Architecture for the Internet Protocol
- IP Authentication Header
- IP Encapsulating Security Payload (ESP)
- IP Payload Compression Protocol (IPComp)
Get the project
In order to test the project, you need two differents things
After that, you need to
- NetBSD current source ( 4.99.3 ).
- a copy of the ipsec6 modules : see the instrution on the NetBSD SoC page .
Another solution, just get a NetBSD kernel here (
GENERIC.FAST_IPSEC with option TCP_SIGNATURE and various DEBUG options) and
- Create symlink between $SRCDIR/sys/netinet and the netinet directory
in the ipsec6 module, same things for netinet6 and netipsec
- Add FAST_IPSEC options to your kernel ( and IPSEC_DEBUG if you want
debug messages )( or just use GENERIC.FAST_IPSEC ).
- Rebuild and install your new kernel.
Technical status of the project
Tested and seems to work
- transport mode ah
- transport mode esp
- tunnel mode ah
- tunnel mode esp
- Ipcomp is now working, both on IPv4 and IPv6 ( currently there are
some crypto problem due to deflate implementation, increase ZBUF in
opencrypto/deflate.h solves the issue ).
- Tcp md5sum works
- More work is needed to play with ipsec and extension header on ipv6.
The following interfaces are used by fast_ipsec :
The implementation of Kame ipsec stack is stored into sys/netinet6 ( file
esp_* ah_* ipcomp_* ipsec.c ). The current fast_ipsec implementation is
stored into sys/netipsec.
| Degroote Arnaud <email@example.com> |
| $Id: index.html,v 1.11 2007/03/13 21:00:27 zul_ Exp $ |