Andrey V. Elsukov
ae at FreeBSD.org
Tue Jan 10 19:49:46 UTC 2017
I ported the changes from projects/ipsec to stable/11 branch.
So, if it is more suitable for testing, please, welcome.
You can checkout the sources from github:
Also I made the standalone patch:
Unfortunately, I did only compile test for stable branch.
> I am pleased to announce that projects/ipsec, that I started several
> months ago is ready for testing and review.
> The main goals were:
> * rework locking to make IPsec code more friendly for concurrent
> * make lookup in SADB/SPDB faster;
> * revise PFKEY implementation, remove stale code, make it closer
> to RFC;
> * implement IPsec VTI (virtual tunneling interface);
> * make IPsec code loadable as kernel module.
> Currently all, except the last one is mostly done. So, I decided ask for
> a help to test the what already done, while I will work on the last task.
> How to try? There are no patches, you need to checkout the full
> projects/ipsec source tree, and build the kernel and the base system.
> There are very few changes in the base system, mostly the kernel
> changes. Thus for testing that old configuration is still work, it is
> enough to build only the kernel.
> The approximate list of changes that may be visible to users:
> * SA bundles now can have only 4 items in the chain. I think it is
> enough, I can't imagine configurations when needed more. Also now SA
> bundles supported for IPv6 too.
> * due to changes in SPDB/SADB, systems where large number of SPs and SAs
> are in use should get significant performance benefits.
> * the memory consumption should slightly increase. There are several
> hash tables and SP cache appeared.
> * INPCB SP cache should noticeable increase network performance of
> application when security policies are presence.
> * use transport mode IPsec for forwarded IPv4 packets now unsupported.
> This matches the IPv6 behavior, and since we can handle the replies, I
> think it is useless.
> * Added net.inet.ipsec.check_policy_history sysctl variable. When it is
> set, each inbound packet that was handled by IPsec will be checked
> according to matching security policy. If not all IPsec transforms were
> applied, the check will fail, and packet will be dropped.
> * Many PF_KEY messages handlers was updated, probably some IKEd now may
> fail due to stricter checks.
> * SPI now unique for each SA. This also can break something.
> * Added if_ipsec interface. For more info look at
> * TCP_SIGNATURE code was reworked and now it behaves closer to RFC
> * NAT-T support was reworked.
> Also I made the patch to racoon that adds better support of NAT-T,
> you can use this port to build patched racoon:
> What results is interesting to me?
> If you have some nontrivial configuration, please test.
> If you have some configuration, that did't work, please test this branch.
> If you have performance problems, please test. But don't forget that
> this is head/ branch, you need to disable all debugging first.
> If you just want to test, pay attention to the output of
> `vmstat -m | egrep "sec|sah|pol|crypt"`.
> If you have used TCP_SIGNATURE, IPSEC_NAT_T options, please test, this
> support was significantly changed.
IPsec as kernel modules was reported here:
Some additional testing also needed with this...
WBR, Andrey V. Elsukov
More information about the freebsd-net