IPSec and Hardware Acceleration#

We have full support for IPSec built into the ip-v4-hc and ip-v6-hc stack variants (don't forget to add the "ipsec" parameter option to the stack to enable ipsec when the stack starts).

There's a good reference page in the NetBSD man pages covering ipsec in general. There are some aspects (although you obviously don't have to worry about re-building the kernel. Just make sure that you use a stack variant which has ipsec built in (the straight io-pkt-v4 stack doesn't include ipsec capability).)

Examples#

The following examples illustrate basic ipsec setup

Setup an ipsec connection between two boxes manually#

Consider there are two boxes A and B, and want to establish ipsec between them. BoxA ==(ipsec) == BoxB

Step 1: On each box, create a script file (lets say it name is "script") having the following content:

	#!/bin/ksh 
	# args: This script takes two arguments. The first one is the IP address of the box that is to run it on.  
	#         The second one is the IP address of the box that this box is to establish ipsec connection to.
	Myself=$1
	Remote=$2

	# the following two lines are to clean the database. I put these here simply to demo the "hello world" level
	# connection. You certainly don't need to do that ...
	#  
	setkey -FP
	setkey -F
	
	# use setkey to input all of the SA content.
	setkey -c << EOF

	spdadd $Myself $Remote any -P out ipsec esp/transport/$Myself-$Remote/require;
	spdadd $Remote $Myself any -P in ipsec esp/transport/$Remote-$Myself/require;

	add  $Myself $Remote esp 1234 -m any -E 3des-cbc "KeyIsTwentyFourBytesLong";
	add  $Myself $Remote esp 1234 -m any -E 3des-cbc "KeyIsTwentyFourBytesLong";
	EOF

Step 2: On BoxA, run "./script `BoxA BoxB". Or directly give the IP address of each box if the name can not be resolved (i.e. "BoxA" =>"192.168.200.10"). Similarly, on BoxB, run "./script BoxB BoxA".

That's all there is. Now you can check the connection by pinging each other. You can get the ipsec status by using "setkey -PD".

IPSec Tools#

We've taken IPSec tools (ipsec-tools.sourceforge.net) from the NetBSD source base and incorporate it into our source base. The build produces:

• libipsec (PF_KEY library routines)
• setkey (Security Policy Database and Security Association Database management tool)
• racoon (IKE Daemon)
• racoonctl (racoon commandl liine control tool)

OpenSSL Support#

The OpenSSL crypto and SSL libraries (from www.openssl.org) has been ported and the source and library are available for your applications to use.

Hardware Accelerated Crypto#

io-pkt has the (hardware-independent) infrastructure to load a (hardware-dependent) driver to take advantage of dedicated hardware which can perform cryptographic operations at high speed. This not only speeds up the crypto ops (such as used by IPSec) but also has the effect of reducing the CPU load. This interface is carefully crafted so that the stack does not block on the crypto op - rather, it continues on, and later on, using a callback, the driver returns the processed data to the stack. This is ideal for dma-driven crypto hardware.

Supported Hardware Crypto Engines#

One example of this is the MPCSEC crypto hardware core (present on some, but not all MPC 85XX and 83XX) which io-pkt had a driver for. This driver is called "devnp-mpcsec.so" and is found in the "sys/dev_qnx/mpcsec" source directory. It loads just like a network driver - to run it:

# io-pkt-v6-hc -d mpcsec -d mpc85xx

where devnp-mpc85xx.so is the driver for the tsec or etsec ethernet ports on the MPC 83xx and 85xx. For considerably more information on this subject, please see the following text file: "sys/dev_qnx/mpcsec/README" which goes into great detail about the layout and functioning of this driver, and some sample IPSec configurations.