My fast_ipsec related work
What is it ?
The IPSEC protocol is a set of protocols standardized by the IETF for
secure communications of IP Datagrams.
The first implementation available for NetBSD is the Kame implementation.
This implementation is good but lacks some important features e.g it isn't
possible to use crypto accelerated hardware.
The Fast IPSec implementation is a new implementation of Ipsec, written by
Samuel Leffler and Stone. This stack has been written in order to use
efficiently crypto hardware. This stack has first been written for FreeBSD,
and then ported to NetBSD. The most important caveat of Fast IPsec was the
lack of support for IPv6.
What I have already done
- Add ipcomp support to Fast IPSec
- it is now possible to encrypt/authenticate ipv6 packet with fast_ipsec
- Add IPSEC_NAT_T support to fast_ipsec(4)
Futur works
- Fix open PRs about fast_ipsec(4)
-
Currently, there are several issues with the implementation of
the output path. First, it performs twice the work in the case
of transport mode transformation because the frame is always
reinject into ip{,6}_output. Secundly, in some case, it doesn't
return the correct error to userland. It's because Fast IPSEC
use a continuation model and the whole ip stack use a classic
model.
-
Rewrite the key management.
For that, better separate the key management from the PF_KEY
management. For key management, we need to use better data
structure and we probably need to improve the locking. While
here, I may add an implementation for PAD.
Related standards
- Security Architecture for the Internet Protocol
RFC 4301
- IP Authentication Header
RFC 4302
- IP Encapsulating Security Payload (ESP)
RFC 4303
- IP Payload Compression Protocol (IPComp)
RFC 3173
- Negotiation of NAT-Traversal in the IKE
RFC 3947
- UDP Encapsulation of IPsec ESP Packets
RFC 3948