[Openswan dev] ocf debian

Paul Wouters paul at xelerance.com
Thu Dec 16 14:51:39 EST 2010


On Thu, 16 Dec 2010, Harald Jenny wrote:

>>> Sounds like a very good idea - but must it even be made a compile time option
>>> then for KLIPS? I guess it would rather call for two options like protostack,
>>> namely cryptstack and hashstack, with values "built-in" (both crypto and hash,
>>> default value and fallback), "ocf" (both crypto and hash) and "cryptoapi"
>>> (currently only crypto). How about this?
>>
>> The big issue is that OCF requires us to link to openssl,
>
> For userspace that may be true, but for kernel space?

Oh sorry. Right. Currently (according to David) if OCF and CryptoAPI support
are enabled in KLIPS, then first OCF is attempted, then CryptoAPI, then KLIPS
native code. I have not verified if this is so - if it is the compiler #warning
statements are misleading.

I'm not sure what happens for ciphers that one does not support. For instance if
you pick esp=twofish, will it use CryptoAPI (the only place that supports it)

I am not sure if making these available to the user makes much sense. We would
also like to get rid of KLIPS native crypto code (3des,aes) in favour of the
cryptoapi code, though I think currently would break OCF (as the native crypto
code in cryptoapi does not have OCF support) and I think the native klips code
might be a few percent faster for 3des/aes (benchmark results might not be up to
date anymore)

>> and for instance
>> Red Hat does not allow us to do that because of certification.
>
> Ok sounds reasonable but this would not prevent us from giving users the option
> in ipsec.conf?

What informed decisions could a user make not to prefer the faster over the slower
kernel method?

>>>> Okay, and that's probably the most useful and easest to do. So a dkms without
>>>> userland ocf pacakge. Then change the klips DKMS to require the ocf-dkms.
>>>
>>> Well I would rather call it an option, not a requirements - maybe there are
>>> people out there who don't want to use OCF?
>>
>> David, can we have a module parameter for OCF? eg modprobe ipsec ocf={0,1} ?
>
> I would rather vote for crypt={1,2,3} and hash={1,2|,3(in the future)|}.

I'm still not entirely sure what that buys though.

Paul


More information about the Dev mailing list