[RFC/RFT] projects/ipsec

Andrey V. Elsukov ae at FreeBSD.org
Sat Dec 10 23:08:01 UTC 2016

Hi All,

I am pleased to announce that projects/ipsec, that I started several
months ago is ready for testing and review.
The main goals were:
  * rework locking to make IPsec code more friendly for concurrent
  * make lookup in SADB/SPDB faster;
  * revise PFKEY implementation, remove stale code, make it closer
    to RFC;
  * implement IPsec VTI (virtual tunneling interface);
  * make IPsec code loadable as kernel module.

Currently all, except the last one is mostly done. So, I decided ask for
a help to test the what already done, while I will work on the last task.

How to try? There are no patches, you need to checkout the full
projects/ipsec source tree, and build the kernel and the base system.
There are very few changes in the base system, mostly the kernel
changes. Thus for testing that old configuration is still work, it is
enough to build only the kernel.

The approximate list of changes that may be visible to users:
* SA bundles now can have only 4 items in the chain. I think it is
enough, I can't imagine configurations when needed more. Also now SA
bundles supported for IPv6 too.
* due to changes in SPDB/SADB, systems where large number of SPs and SAs
are in use should get significant performance benefits.
* the memory consumption should slightly increase. There are several
hash tables and SP cache appeared.
* INPCB SP cache should noticeable increase network performance of
application when security policies are presence.
* use transport mode IPsec for forwarded IPv4 packets now unsupported.
This matches the IPv6 behavior, and since we can handle the replies, I
think it is useless.
* Added net.inet.ipsec.check_policy_history sysctl variable. When it is
set, each inbound packet that was handled by IPsec will be checked
according to matching security policy. If not all IPsec transforms were
applied, the check will fail, and packet will be dropped.
* Many PF_KEY messages handlers was updated, probably some IKEd now may
fail due to stricter checks.
* SPI now unique for each SA. This also can break something.
* Added if_ipsec interface. For more info look at
* TCP_SIGNATURE code was reworked and now it behaves closer to RFC
* NAT-T support was reworked.
Also I made the patch to racoon that adds better support of NAT-T,
you can use this port to build patched racoon:

What results is interesting to me?
If you have some nontrivial configuration, please test.
If you have some configuration, that did't work, please test this branch.
If you have performance problems, please test. But don't forget that
this is head/ branch, you need to disable all debugging first.
If you just want to test, pay attention to the output of
`vmstat -m | egrep "sec|sah|pol|crypt"`.
If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
support was significantly changed.

PS. I just updated the branch to last head/, and it was not tested, sorry :)

WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 541 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20161211/18cf6f05/attachment.sig>

More information about the freebsd-current mailing list