[NetBSD logo]    &    [Google logo]

NetBSD-SoC: Fast_ipsec and IPv6

Important

Most of of the code has now been merged in the NetBSD tree. I will continue to work on the subject but not on this web page. You can check my current work on the subject on zulzul.free.fr

What is it?

The IPSEC protocol is a set of protocols standardized by the IETF for secure communications of IP Datagrams.

The first implementation available for NetBSD is the Kame implementation. This implementation is good but lacks some important features e.g it isn't possible to use crypto accelerated hardware.

The Fast_ipsec implementation is a new implementation of Ipsec, written by Samuel Leffler and Stone. This stack has been written in order to use efficiently crypto hardware. This stack has first been written for FreeBSD, and then ported to NetBSD. The most important caveat of Fast IPsec is the lack of support for IPv6.

The goal of the project is to add ipv6 support in the Fast_ipsec stack to get a full and accelerated ipsec stack.

Status

Deliverables

Mandatory (must-have) components:

Optional (would-be-nice) components:

Documentation

Some interesting papers about fast_ipsec and the crypto hardware framework. Some useful RFC about IPsec

Get the project

In order to test the project, you need two differents things :

After that, you need to
  1. Create symlink between $SRCDIR/sys/netinet and the netinet directory in the ipsec6 module, same things for netinet6 and netipsec
  2. Add FAST_IPSEC options to your kernel ( and IPSEC_DEBUG if you want debug messages )( or just use GENERIC.FAST_IPSEC ).
  3. Rebuild and install your new kernel.
Another solution, just get a NetBSD kernel here ( GENERIC.FAST_IPSEC with option TCP_SIGNATURE and various DEBUG options) and install it.

Technical status of the project

Tested and seems to work

Untested