|
List Info
Thread: FastIPSec and OCF
|
|
| FastIPSec and OCF |
|
2007-10-05 04:51:56 |
Hi,
Does FASTIPSec in FreeBSD use OCF framework ? Where can I
find more
documentation ?
I wish to run cryptographic algorithms after setting a VPN.
What command
should I use to run a particular crytographic algorithm
(e.g. 3DES etc.)
Where can I find all such information ?
--
Regards,
Bubble
_______________________________________________
freebsd-security freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
|
| Re: FastIPSec and OCF |
 
Russian Federation |
2007-10-05 05:17:20 |
Good day.
Fri, Oct 05, 2007 at 10:51:56AM +0100, Bubble Reading
wrote:
> Does FASTIPSec in FreeBSD use OCF framework ? Where can
I find more
> documentation ?
OCF: man 9 crypto
IPSec: man 4 ipsec
It will give you some pointers, at least on the 7-CURRENT.
<offtopic>
You can not say 'OCF Framework', because OCF stands for the
OpenBSD Cryptographic Framework, so you repeat the last word
twice.
</offtopic>
> I wish to run cryptographic algorithms after setting a
VPN. What command
> should I use to run a particular crytographic algorithm
(e.g. 3DES etc.)
I think that it depends on the toolset you're using to make
VPN.
Or you want to do it from your own code? Then you may want
to
have a look at the ports security/racoon2 and
security/ipsec-tools.
--
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
|
| Re: FastIPSec and OCF |
|
2007-10-05 06:26:15 |
Hiya,
Can I use Fast-IPSec as a tool to run a crypto command ?
Are there any examples ?
Bubble
On 10/5/07, Eygene Ryabinkin <rea-fbsdcodelabs.ru> wrote:
>
> Good day.
>
> Fri, Oct 05, 2007 at 10:51:56AM +0100, Bubble Reading
wrote:
> > Does FASTIPSec in FreeBSD use OCF framework ?
Where can I find more
> > documentation ?
>
> OCF: man 9 crypto
> IPSec: man 4 ipsec
> It will give you some pointers, at least on the
7-CURRENT.
>
> <offtopic>
> You can not say 'OCF Framework', because OCF stands for
the
> OpenBSD Cryptographic Framework, so you repeat the last
word twice.
> </offtopic>
>
> > I wish to run cryptographic algorithms after
setting a VPN. What command
> > should I use to run a particular crytographic
algorithm (e.g. 3DES etc.)
>
> I think that it depends on the toolset you're using to
make VPN.
> Or you want to do it from your own code? Then you may
want to
> have a look at the ports security/racoon2 and
security/ipsec-tools.
> --
> Eygene
>
--
Regards,
Bubble
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
|
| Re: FastIPSec and OCF |
Russian Federation |
2007-10-05 06:46:05 |
Fri, Oct 05, 2007 at 12:26:15PM +0100, Bubble Reading
wrote:
> Can I use Fast-IPSec as a tool to run a crypto command
?
If you mean by 'Fast-IPSec' the implementation of the IPSec
made
by George Neville-Neil (used to be FAST_IPSEC, but in the
7-CURRENT
old KAME stack was thrown away, so now it is named just
IPSEC),
then no, it is the kernel-level implementation of the IPSEC
protocol.
But maybe you will be interested in the setkey utility and
the
ipsec_set_policy manual page. And the FreeBSD Handbook
IPSec section,
http://www.freebsd.org/doc/en/books/handbook/ipsec.html
is worth to be read too.
--
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
|
| Re: FastIPSec and OCF |
Russian Federation |
2007-10-05 09:33:38 |
Fri, Oct 05, 2007 at 02:10:06PM +0100, Bubble Reading
wrote:
> Thanks much for your help.
You're welcome ;))
> I am using FreeBSD v6.2.
>
> My aim is to use a hardware crypto card.
Yes, but for what purpose? To accelerate IPSec or to do
some
cryptographic operations? This is somewhat ritorical
question,
because both issues are a bit lightened below ;))
> And OCF provides the generic kernel
> level interface to hardware cryptology.
Yes, and its accessible through the /dev/crypto, see
crypto(4).
Possibly you will want to read the original OCF design
paper:
http://www.thought.net/jason/ocfpape
r/node8.html#SECTION00042000000000000000
> As I understood from you that Fast-IPSec is a kernel
level module which I
> can use to create a VPN tunnel. Is there a userland
application which uses
> Fast-IPSec?
Fast IPSec is the networking layer. You can create the gifN
device,
configure it and it will encapsulate all traffic that is
passing
through it. Perhaps, the traffic will be encrypted if you
will
pass the right parameters to the setkey utility. If you
have some
hardware accelerator, then if will be used automatically
for
operations it can accelerate: devices are registered to the
crypto
framework as the providers of certain operations. So,
crypto
hardware will be used automagically.
The interesting question is what will be done if more than
one
cryptographic accelerator provides support for a given
routine.
Seems like that there is some sort of load-balancing is
done: the
driver that has the smaller number of the pending crypto
operations
is selected.
OK, I had somewhat lost the topic, so I am returning to the
point.
As for the userland application, there is some code in the
OpenSSL,
see /usr/src/crypto/openssl/crypto/evp/openbsd_hw.c. I
suspect
that this is what the OCF design papers talks as of OpenSSL
enchancement. Another place in the OpenSSL code that uses
/dev/crypto is
/usr/src/crypto/openssl/crypto/engine/eng_cryptodev.c.
There is another place, http://ww
w.logix.cz/michal/devel/cryptodev/,
that has some examples on how to use OCF. It talks about
Linux,
but it was promised that the OCF API and semantics are
preserved.
You can also check out the contents of the
/usr/src/tools/tools/crypto/,
especially cryptotest.c. Samuel Leffler has the Usenix
paper,
http://www
.usenix.org/publications/library/proceedings/bsdcon03/tech/l
effler_crypto/leffler_crypto.pdf
that talks about the optimizations of OCF that were done in
FreeBSD.
cryptotest.c was written by him to do the profiling.
--
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
|
[1-5]
|
|