DragonFly BSD
DragonFly kernel List (threaded) for 2012-07
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: More with AES GCM/GMAC

From: Alex Hornung <ahornung@xxxxxxxxx>
Date: Thu, 19 Jul 2012 23:07:08 +0100

On 19/07/12 17:54, Chris Rogers wrote:
> I'm assuming that the native IPsec client on Dragonfly somehow accounts
> for this, and will correctly initialize a second session to ensure that
> the GMAC portion is executed. Pfkeyv2.h doesn't have a SADB_X_AALG ID
> defined for GMAC, so it must only be used for encryption, and yet the
> GMACs are defined in auth_hash structs.  So, my next question is, how is
> that session created?  How do we get the GMAC case to trigger, and lend
> its portion of the encryption to GCM without specifying it explicitly as
> an authentication algorithm in the SA (because that creates a whole host
> of other problems a lot deeper in the kernel)?

Our IPsec implementation does not support AES GCM nor GMAC. To support
it, we would indeed need something setting up an encryption algorithm as
well as an authentication algorithm. See [1] for OpenBSD's
implementation of some of the relevant bits.

In general we do have a bit of a partially outdated mess with ipsec (we
do have two implementations if I recall correctly, none of them well
tested as far as I know). Take this last bit with a pinch of salt; I'm
sure there are people who know more about the state of ipsec in DragonFly.


[1]: http://grok.x12.su/source/xref/openbsd/sys/netinet/ip_esp.c#164

PS: I'd appreciate it if you could reply to the thread instead of
creating a new one with a *hyperlink* to an archived version of my mail.

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]