FastIPSec and OCF
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Oct 5 07:33:45 PDT 2007
Fri, Oct 05, 2007 at 02:10:06PM +0100, Bubble Reading wrote:
> Thanks much for your help.
You're welcome ;))
> I am using FreeBSD v6.2.
>
> My aim is to use a hardware crypto card.
Yes, but for what purpose? To accelerate IPSec or to do some
cryptographic operations? This is somewhat ritorical question,
because both issues are a bit lightened below ;))
> And OCF provides the generic kernel
> level interface to hardware cryptology.
Yes, and its accessible through the /dev/crypto, see crypto(4).
Possibly you will want to read the original OCF design paper:
http://www.thought.net/jason/ocfpaper/node8.html#SECTION00042000000000000000
> As I understood from you that Fast-IPSec is a kernel level module which I
> can use to create a VPN tunnel. Is there a userland application which uses
> Fast-IPSec?
Fast IPSec is the networking layer. You can create the gifN device,
configure it and it will encapsulate all traffic that is passing
through it. Perhaps, the traffic will be encrypted if you will
pass the right parameters to the setkey utility. If you have some
hardware accelerator, then if will be used automatically for
operations it can accelerate: devices are registered to the crypto
framework as the providers of certain operations. So, crypto
hardware will be used automagically.
The interesting question is what will be done if more than one
cryptographic accelerator provides support for a given routine.
Seems like that there is some sort of load-balancing is done: the
driver that has the smaller number of the pending crypto operations
is selected.
OK, I had somewhat lost the topic, so I am returning to the point.
As for the userland application, there is some code in the OpenSSL,
see /usr/src/crypto/openssl/crypto/evp/openbsd_hw.c. I suspect
that this is what the OCF design papers talks as of OpenSSL
enchancement. Another place in the OpenSSL code that uses
/dev/crypto is /usr/src/crypto/openssl/crypto/engine/eng_cryptodev.c.
There is another place, http://www.logix.cz/michal/devel/cryptodev/,
that has some examples on how to use OCF. It talks about Linux,
but it was promised that the OCF API and semantics are preserved.
You can also check out the contents of the /usr/src/tools/tools/crypto/,
especially cryptotest.c. Samuel Leffler has the Usenix paper,
http://www.usenix.org/publications/library/proceedings/bsdcon03/tech/leffler_crypto/leffler_crypto.pdf
that talks about the optimizations of OCF that were done in FreeBSD.
cryptotest.c was written by him to do the profiling.
--
Eygene
More information about the freebsd-security
mailing list