OpenBSD Journal

IPsec Hackathon update

Contributed by marco on from the we-cant-pronounce-your-name-but-we-love-your-code dept.

Hans-Joerg Hoexer sent the folowing blurb:
The OpenBSD IPsec Hackathon is over. Developers are on their way back home or continue travelling in Germany. The location was awesome (Schloss Kransberg). The calmness of the countryside and the modern infrastructure helped a lot to focus on hacking and quite a few things got done that will make the 4.0 release:
  • sasyncd now controls isamkpd: This makes it possible to run isamkpd non-passive in a HA setup. As needed when using failover setups on both sides.
  • Several bugfixes in various places went in (like interaction with bgpd or PF_KEY socket handling).
  • Support for AH in ipsecctl.
  • Big documentation update for ipsec.conf and friends. This work will continue for the next weeks. So there will be some more improvements that will go in for 4.0. Stay tuned!

Some projects that were started at some time this year continued. Diffs will go in as soon as the tree is unlocked again and ready for 4.0-current:

  • pf tagging for IPsec implemented, lots of discussion went on about how to do it right. Both userland and kernel code work now.
  • tcpdump can now decode ESP and AH for ipv6, too.

Moreover, several projects were kicked off shortly before or during k2k6:

  • More work on sasyncd and isakmpd, there are several diffs pending for review and testing.
  • More interop testing.
  • Work IKEv2 started.
  • XAUTH and Hybrid Authentication.

Thanks to all hackers and those that made this event possible!

(Comments are closed)

Comments

  1. By Toxa (62.16.127.230) on

    Wow, great!
    What about participant photos? ;)

  2. By Massimo Lusetti (81.208.83.235) on

    Amazing work guys.
    I've recently read in a somehow hijacked thread on misc that hackers don't do docs or at least don't do good docs, i think that's simply not true, by my side the main features of OpenBSD is the documentation.

    Thanks!

    Comments

    1. By Matthias Kilian (84.134.36.66) on

      > I've recently read in a somehow hijacked thread on misc that hackers don't do docs or at least don't do good docs,[...]

      Huh? I can't remember such a thread. Are you sure it wasn't just some joke like "it was hard to write so it should be hard to use"?

      Anyways, whoever made such a claim had never a look at the CVS Changelog (or the cvs commit mailing lists).

  3. By Anonymous Coward (84.56.139.221) on

    Will IPSEC now take advantage of the hardware crypto acceleration in VIA C7 CPUs? If so what {quick,main} auth settings should be used?

    http://www.via.com.tw/en/products/processors/c7/

    says that aes + sha-256 (the defaults) should work?

    Comments

    1. By hshoexer (194.95.224.220) on

      > Will IPSEC now take advantage of the hardware crypto acceleration in VIA C7 CPUs? If so what {quick,main} auth settings should be used?
      >
      > http://www.via.com.tw/en/products/processors/c7/
      >
      > says that aes + sha-256 (the defaults) should work?

      it will. However, it will only use the AES instructions of the VIA c3/c7, HMACs are done as usual in software. Thus, just use the defaults selected by ipsecctl.

      Comments

      1. By Anonymous Coward (212.112.241.159) on

        > > Will IPSEC now take advantage of the hardware crypto acceleration in VIA C7 CPUs? If so what {quick,main} auth settings should be used?
        > >
        > > http://www.via.com.tw/en/products/processors/c7/
        > >
        > > says that aes + sha-256 (the defaults) should work?
        >
        > it will. However, it will only use the AES instructions of the VIA c3/c7, HMACs are done as usual in software. Thus, just use the defaults selected by ipsecctl.
        How about RSA ? will it accelerate RSA on this CPU ? 
        cpu0: VIA Esther processor 1000MHz ("CentaurHauls" 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2
cpu0: RNG AES AES-CTR SHA1 SHA256 RSA

        Comments

        1. By hshoexer (131.188.33.56) on

          >
          > How about RSA ? will it accelerate RSA on this CPU ?
          >
          >
          > cpu0: VIA Esther processor 1000MHz ("CentaurHauls" 686-class) 1 GHz
          > cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2
          > cpu0: RNG AES AES-CTR SHA1 SHA256 RSA
          >

          not yet, but it will.

  4. By Simon Dassow (213.128.132.194) janus (at) errornet (dot) de on http://janus.errornet.de

    Awesome improvements!
    I'm really excited that XAUTH is on the plan now... as it makes roadwarrior setups easier to use for the average user IMHO.

    Constantly increasing the OpenBSD addiction factor proves that we chose the right way ;-)

    Kind regards,
    Simon

  5. By Anonymous Coward (80.213.140.180) on

    It would be nice if anyone could shed some light on the current state of OpenBSD's IPSec implementation vs. OpenVPN from a users perspective,

    Comments

    1. By Anonymous Coward (24.46.21.229) on

      > It would be nice if anyone could shed some light on the current state of OpenBSD's IPSec implementation vs. OpenVPN from a users perspective,

      Well, for starters they have absolutely nothing to do with one another. OpenVPN is a SSL-tunnel, where as IPSec is just that, IP Secured (it can operate in a tunnel mode as well... Wikipedia has a good look into IPSec). They operate at different levels of transfere. The usual 'look it up in Wikipedia or the like' applies.

    2. By Anonymous Coward (87.78.67.102) on

      <insert rant bout openvpn...>
      just compare the documentation. ok, you can't compare openbsd's ipsec[.conf](5) to that mess openvpn supplies.
      lets not speak bout the effort involved to get more than a handfull of subnets or endpoints configured on the same box.

      if you control the border-gateways don't even bother with openvpn. ipsec is the way to go. it's a much cleaner sollution.
      the places where i can't control the border, there is always some cisco stuff they have/want to keep and that can in the majority of cases be configured to route the traffic in a way i can work around it.


      > It would be nice if anyone could shed some light on the current state of OpenBSD's IPSec implementation vs. OpenVPN from a users perspective,

      your line of questioning implies that openbsd has to catch up, that is just simply wrong.

    3. By Anonymous Coward (70.25.115.53) on

      > It would be nice if anyone could shed some light on the current state of OpenBSD's IPSec implementation vs. OpenVPN from a users perspective,

      Openvpn is a huge pain in the ass compared to openbsd's ipsec implimentation. But openvpn has the only decent free client for windows I have found, so I use openvpn for users to connect to the gateway, and ipsec to connect the office gateways together.

    4. By Henrik Kramshøj (195.212.29.92) hlk@kramse.dk on www.kramse.dk

      > It would be nice if anyone could shed some light on the current state of OpenBSD's IPSec implementation vs. OpenVPN from a users perspective,
      IPsec is described already, IP packets secured - GREAT on OpenBSD!

      OpenVPN is really easy to setup for a geeky roadwarrior/consultant doing work in different networks with different policies. Why? Because sometimes OpenVPN across port 443 is easier to get through the firewalls when connecting from customers networks - which is what I use it for.

      ... but I will certainly look into OpenSSH tunnels, which I tested using two OpenBSD machines - works really nice and easy!

      So, IPsec is working great if you are allowed to send the traffic

      OpenVPN tunnels packets across SSL, OpenSSH new functionality tunnels packets across "SSH" (which is SSL) - difference is that OpenSSH can make use of the existing SSH keys we already use for connecting back to servers at home, when roaming the world.

      OpenVPN was nice, but I expect to use OpenSSH with tun0 when this comes
      to my Mac OS X. I gotta find time to look into the OpenSSH sources ...

      Comments

      1. By Anonymous Coward (82.135.30.22) on

        you obviously have no idea what ipsec is (:
        ssh is not ipsec. openvpn is not ipsec.
        so if you wanna compare your ipsec that is
        apaprently ssh vs openvpn then it's nothing
        to compare either as openvpn is a hack.

  6. By Anonymous Coward (87.78.67.102) on

    oh, and btw... very cool diffs you produced at/after that hackathon! nice work.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]