My fast_ipsec related work

What is it ?

The IPSEC protocol is a set of protocols standardized by the IETF for secure communications of IP Datagrams.

The first implementation available for NetBSD is the Kame implementation. This implementation is good but lacks some important features e.g it isn't possible to use crypto accelerated hardware.

The Fast IPSec implementation is a new implementation of Ipsec, written by Samuel Leffler and Stone. This stack has been written in order to use efficiently crypto hardware. This stack has first been written for FreeBSD, and then ported to NetBSD. The most important caveat of Fast IPsec was the lack of support for IPv6.

What I have already done

• Add ipcomp support to Fast IPSec
• it is now possible to encrypt/authenticate ipv6 packet with fast_ipsec
• Add IPSEC_NAT_T support to fast_ipsec(4)

Futur works

• Fix open PRs about fast_ipsec(4)
• Currently, there are several issues with the implementation of the output path. First, it performs twice the work in the case of transport mode transformation because the frame is always reinject into ip{,6}_output. Secundly, in some case, it doesn't return the correct error to userland. It's because Fast IPSEC use a continuation model and the whole ip stack use a classic model.
• Rewrite the key management. For that, better separate the key management from the PF_KEY management. For key management, we need to use better data structure and we probably need to improve the locking. While here, I may add an implementation for PAD.

Related standards

• Security Architecture for the Internet Protocol RFC 4301
• IP Authentication Header RFC 4302
• IP Encapsulating Security Payload (ESP) RFC 4303
• IP Payload Compression Protocol (IPComp) RFC 3173
• Negotiation of NAT-Traversal in the IKE RFC 3947
• UDP Encapsulation of IPsec ESP Packets RFC 3948