[Openswan dev] [PATCH 0/2] ESP_NULL support for openswan-2.4.6
JuanJo Ciarlante
jjo-ipsec at mendoza.gov.ar
Mon Sep 25 09:09:53 EDT 2006
Hi!
It's been a looong time... nice to actually have something to
contribute again :-)
I made this patch for a coleague with the following scenario:
1) VoIP streams inside VPN (asterisks with private addressing)
2) Deployment migrating from openswan-1.x to openswan-2.x
They were tunneling voip streams over esp=null-md5 SAs with
BW usage between ~44-48kbps.
No comments on POTS-like sniffing, please :-S
3) _Very_ constrained SLA with provider, AFAICR about 32kbps guaranteed
This is the main reason for ESP_NULL; with any current CBC cipher
the ~12bytes space added (8 for IV + 4 statistically for padding)
happens to be quite relevant for the ~90bytes VoIP datagram.
Measured BW usage goes to about ~52kbps effectively degrading VoIP
to almost unusable (recall 32kbps "CIR").
4) NAT-Traversal required
Obviously makes AH not an option.
Hope 2-4 serve as a moderator for the flames to come , heh...
PATCH 1/2 has a one-line ESP_NULL fix for pluto /linux-2.6
PATCH 2/2 creates linux/net/ipsec/null/ipsec_alg_null.c and supporting files
I'll send them both in separate mails.
Regards!!... nice to be here again :)
--
--Juanjo
# Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
# GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
# Key fingerprint: 0D2F 3E5D 8B5C 729E 0560 F453 A3F7 E249 6672 7177 #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20060925/d3d6230d/attachment.bin
More information about the Dev
mailing list