AAScratch: Difference between revisions
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
== Userspace IPsec Stacks == | == Userspace IPsec Stacks == | ||
Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular. | Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular. | ||
=== VPP + DPDK | === VPP + DPDK (Userspace ESP + IKE) === | ||
VPP has its own IKEv2 and ESP implimentation. | VPP has its own IKEv2 and ESP implimentation. | ||
| Line 44: | Line 44: | ||
* [https://archive.fosdem.org/2019/schedule/event/userspace_network_stacks User-space Network Stacks (DPDK and friends)] 2019 | * [https://archive.fosdem.org/2019/schedule/event/userspace_network_stacks User-space Network Stacks (DPDK and friends)] 2019 | ||
== Snabb == | == Snabb ESP userspace stack == | ||
Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp | Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp | ||
[https://fosdem.org/2020/schedule/event/vita_high_speed_traffic_encryption_on_x86_64/ Snabb FOSDEM 2020] | [https://fosdem.org/2020/schedule/event/vita_high_speed_traffic_encryption_on_x86_64/ Snabb FOSDEM 2020] | ||
Revision as of 20:57, 7 June 2020
Antony's unsorted pages I want access quickly, related to libreswan, when think I know this page exist where is it. Someone moved it renamed ..
- XFRM pCPU
- XFRMi Development Notes 2018-2019
- Namespace Magic, 2019
- IKEv2 State names proposal 2016 - 2019
- Cloud Opportunistic Encryption(OE)
- Linux Kernel Support related to libreswan
virtiofs replace 9pfs: libvirt 6.2, qemu 5.0, kernel 5.4
- libvirt 6.2 Fedora 33? Did not make to Fedora 32. F33?
- RH BZ libvirtd merge tracking the request
- QEMU 5.0 added support for virtiofsd. F33??
- virtio-fs Mainline kernel 5.4
- virtiofs RFC patches
KVM/QEMU + vsock to replace 9pfs
KVM support for vsock and nfs support could have a better performance than 9pfs. This work could be interesting to libreswan KVM testing. It started in 2015. Slowly picking up, as 2018 it seems AWS and firecracker is pushing it. We are almost there.
- 2015 LWN virtio
IPsec and Linux Kernel developments
- XFRM Offload : starting 4.14
* NAT support ??? * What if the interface is a bridge? can libreswan/strongswan configure SA correctly? bridge * what if the packets arrive on different interface would that get decrypted correctly?
- XFRM and XDP
* idea presentation Steffen Klassert Linux Netconf, Boston, June, 2019
- XFRM pCPU prototype experimental
Userspace IPsec Stacks
Over last few years specialized user space IPSec(ESP) stacks and IKE implementations are becoming popular.
VPP + DPDK (Userspace ESP + IKE)
VPP has its own IKEv2 and ESP implimentation.
Snabb ESP userspace stack
Snabb as of 2020 has ESP. No IKE, it can easily use of the shelf IKE say strongswan for IKE and and few command line calls to installl snabb esp Snabb FOSDEM 2020 snabb ipsec podcast Strongswan inegeration
OVS
http://docs.openvswitch.org/en/latest/tutorials/ipsec/
iptable rule to drop IKEv2 message id X
https://unix.stackexchange.com/questions/321252/drop-a-packet-depending-on-its-options-or-type
# drop ike message ID 6 iptables -A INPUT -m u32 --u32 '0x6 & 0xFF = 0x11 && 0x30 & 0xFFFFFFFF = 0x4' -j DROP