[Openswan dev] Openswan 3.0.00 release (unstable)

Michael Richardson mcr at xelerance.com
Wed Nov 1 16:04:51 EST 2006

Hash: SHA1

Since April 2006, Xelerance has been hard under contract with Hifn
to provide support in Linux and FreeBSD for the Hifn product line.
  {Likely, it will eventually work on NetBSD, and OSX too}

We are finally putting the finishing touches on code that has slowly
evolved.  We have been trying to move our kernel component into a state
where it could deal with doing asynchronous symmetric cryptography
operations.  Similarly, in userland we want to support doing
asynchronous asymmetric public key operations.  Being able to do this
means being able to offload these things to hardware.

We are pleased to announce a 3.0.00 release. It includes offload of
both symmetric and assymetric operations.

This is a very experimental release.

There will be many 3.0.xx (unstable) releases, perhaps one per week, and
we expect to do a 3.1.00 (testing) release prior to February 1. 

There most likely will be 3.0.xx releases after the 3.1.00 release that
will become 3.2.xx.  (Please see our Release Numbering document, posted
in the next email)

We know that 3.0.00 will not patch against 2.6.19 because it uses the
cryptoapi for hashes, and the interface for hashes has changed.  This
will get fixed soon.  

It does work with 2.6.18, and we regularly patch it into 2.6.16 kernels
that have also been patched with the Xen 3 patches. 

Significant things that have changed in 3.0.00:

    a) it is a superset of 2.5.00 (see other release note).
       It presently has all the bugs that 2.5.00 has.

    b) we do all DH operations asynchronously. (Previously, only
       it was done for phase 1 operations only)

    c) we use OCF /dev/cryptodev to offload modp operations to hardware
       if possible.

    d) with KLIPS on Linux, we always use OCF to offload algorithm
       operations.  When no hardware is present, we therefore use 
       the cryptosoft interface to the cryptoapi.

    e) with FreeBSD, we use the OCF code as well. This is already
       stock FreeBSD, but we are in the process of contributing some
       patches that permit more detailed control over which device
       is used. We provide a FreeBSD-7 snapshot git tree that contains
       our patches, and which we can offer support for.

    f) we have a modified hifn7751 driver that has been extensively
       tested under Linux and FreeBSD with the Hifn 7956 devices
       on the Hifn cards.  In addition, it operates the PK engine.

    g) the KLIPS on Linux includes all of the OCF code, including the
       hardware drivers.  We can additionally feed the /dev/random
       entropy pool directly, even if the kernel is entirely statically	

Things that are missing/broken/incomplete at present:
    1) This release does not contain support for compression yet.
       (it is in progress)

    2) there are some race conditions that still show up under load
       on Linux.

    3) there are possibly some issues with rekeys on all platforms.
    4) on FreeBSD userland, we do not process PFKEY acquire messages yet.

    5) on FreeBSD, we do not delete old outgoing SAs from the SADB yet.
       This matters because of the indirection between present in the
       KAME SPDB/SADB. It is legitimate for the kernel to continue using
       the old SA instead of the new one, until the old one expires.

       Pluto would prefer to use the new one immediately.

The KLIPS OCF code that is included is largely the result of the work
done by David McCullough of Snapgear/SecureComputing.  We have been
refactoring it to support packet-mode offload.  This work has been
ongoing, but has not had the visibility that we would have liked.

The OCF work was originally a port to FreeBSD of the OpenBSD OCF code by
Sam Leffler.  

If you are interested in it, we ask you to join the
ocf2-discuss at hifn.xelerance.com list.

Note: that this refactoring work includes using all of the "xfrm" (aka
      NETKEY, aka "native") ESP and AH code as a "packet-level" offload from
      KLIPS.  This is the first step in a merge of KLIPS and NETKEY code.

Michael Richardson
Xelerance, VP R&D.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list