[Openswan dev] [PATCH 0/2] ESP_NULL support for openswan-2.4.6

JuanJo Ciarlante jjo-ipsec at mendoza.gov.ar
Mon Sep 25 09:09:53 EDT 2006

It's been a looong time... nice to actually have something to
contribute again :-)

I made this patch for a coleague with the following scenario:
1) VoIP streams inside VPN (asterisks with private addressing)
2) Deployment migrating from openswan-1.x to openswan-2.x
   They were tunneling voip streams over esp=null-md5 SAs with
   BW usage between ~44-48kbps.
   No comments on POTS-like sniffing,  please :-S
3) _Very_ constrained SLA with provider, AFAICR about 32kbps guaranteed
   This is the main reason for ESP_NULL; with any current CBC cipher
   the ~12bytes space added (8 for IV + 4 statistically for padding)
   happens to be quite relevant for the ~90bytes VoIP datagram.
   Measured BW usage goes to about ~52kbps effectively degrading VoIP
   to almost unusable (recall 32kbps "CIR").
4) NAT-Traversal required
   Obviously makes AH not an option.

Hope 2-4 serve as a moderator for the flames to come , heh...

PATCH 1/2 has a one-line ESP_NULL fix for  pluto /linux-2.6
PATCH 2/2 creates linux/net/ipsec/null/ipsec_alg_null.c and supporting files
I'll send them both in separate mails.

Regards!!... nice to be here again :)

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar                     #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177     #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20060925/d3d6230d/attachment.bin 

More information about the Dev mailing list