[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02186) Re: Two questions about IPSec & algorithms

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 02186) Re: Two questions about IPSec & algorithms
From: Parijat <parijat@xxxxxxxxxxxxxxxxx>
Date: Mon, 10 Feb 2003 18:04:32 +0800
In-reply-to: <E7ABA0128F4BB9459611B12C98E9CE7C4D4217@MADTORMAIL.indra.es>
Mail-followup-to: Parijat <parijat@xxxxxxxxxxxxxxxxx>, usagi-users@xxxxxxxxxxxxxx
References: <E7ABA0128F4BB9459611B12C98E9CE7C4D4217@MADTORMAIL.indra.es>
Reply-to: usagi-users@xxxxxxxxxxxxxx
User-agent: Mutt/1.4i

On Tue, Feb 04, 2003 at 05:14:33PM +0100, Garzon Maldonado, Jesus Javier wrote:
> 
> Sorry, but I'm afraid I am not explaining my problems correctly.
> 
> When you configure the kernel provided by USAGI, you can add support for AES algorithm (Cryptographic options  --->AES (aka Rijndael) cipher). Then I supposed that when you do this, you can use AES algorithm for ESP encryption. However in the USAGI's IPsec howto there is no example with aes encryption and I don't know how to use it in ipsec.conf file.

As Kanda-san (is that correct/) explained, the AES option in the kernel
config enables the kernel to use AES.  However, The userspace IKE daemon
-- Pluto -- is a different story altogether: it cannot, of course, use
the kernel AES code!

An IKE daemon might use AES for two purposes:

	1. Itself, for protecting the IKE traffic
	2. Tell the kernel to use AES to protect IPSec traffic.

For 1, Pluto needs to have AES code.  For 2, it does not need actual AES
code, but only the appropriate AES algorithm constant (SADB_EALG_AES).

> On the other side, I've been performing some tests with an IPv6 enabled FreeS/WAN (provided by Parijat Misrha). For FreeS/WAN implementations there is available a patch that adds support for other encryption algorithms (AES, blowfish, etc.) not supported by FreeS/WAN natively. This patch can be found at http://www.freeswan.ca/patches/www.irrigacion.gov.ar/juanjo/ipsec/. (Note: I couldn't apply this patch to this IPv6 version of FreeS/WAN)

Not having seen this patch, I am not sure whether it enables AES for IKE
protection, IPSec protection, or both.  In any case, having some
experience with upgrading FreeS/WAN for IPv6, I would not be surprised
that the patch did not apply.  It would be a tortuous task.  What
version of FreeS/WAN is the patch against?

It would be far easier to enable USAGI's version of Pluto to tell the
kernel to use AES protection (I guess).  It might be a more difficult
matter to teach Pluto to use AES for IKE protection.  I do not know how
much modification/cleanup USAGI made to Pluto.  If it was as good as the
work they did on the kernel IPSec then it might even be easy-peasy.

Unless there is an out-of-band
reason to use FreeS/WAN, I would always recommend using USAGI's
implemention than my poor hack ;-)

> Since USAGI IPSec implementation is based on FreeS/WAN implementation

Not anymore, it isn't.  For instance, the kernel crypto is from the
international kernel -- kerneli.org -- tree (am I right?).

> When you tell me that I should check if SADB_EALG_AES was defined I search at usagi/pluto/kernel.c. I don't know what has this to do with Juanjo's patch.

What he means is does Juanjo's patch enable Pluto to talk AES to the
kernel and negotiate AES protection for IPSec with the peer?

-- 
Sincerely,
Parijat Mishra
R & D Engineer,
Institute for Communications Research
Tel: (65)68709353

References:
- (usagi-users 02172) Re: Two questions about IPSec & algorithms
  - From: Garzon Maldonado, Jesus Javier

Prev by Date: (usagi-users 02185) Linux/solving privacy issue until RFC 3041 is supported by vanilla kernel
Next by Date: (usagi-users 02187) IPSec over TCP
Previous by thread: (usagi-users 02175) Re: Two questions about IPSec & algorithms
Next by thread: (usagi-users 02174) ping6: recvmsg: No route to host
Index(es):
- Date
- Thread