Subject: FAST_IPSEC
To: None <current-users@netbsd.org>
From: John R. Shannon <john@johnrshannon.com>
List: current-users
Date: 01/07/2006 07:31:40
NetBSD 3.99.15 amd64
nas# dmesg |grep ubsec
ubsec0 at pci7 dev 1 function 0: Broadcom BCM5820, rev. 16
ubsec0: interrupting at ioapic4 pin 0 (irq 5)
I have a connection between a NetBSD and OpenBSD machine. Both machines are
equipped with Broadcom BCM5820 cryptographic accelerators. I can ping in both
directions.
The connection performs correctly in the NetBSD -> OpenBSD direction. It fails
in the OpenBSD -> NetBSD direction if I try something like netperf. The same
connection works with IPSEC instead of FAST_IPSEC.
setkey -D shows:
192.168.1.41 192.168.1.9
esp mode=transport spi=82185(0x00014109) reqid=0(0x00000000)
E: 3des-cbc dda02628 3c181562 175f3914 45f65dc4 025bc3d0 7ffa7065
A: hmac-sha1 ad8ccdac b2cc18d4 2dcc2076 231ce150 89a89eb1
seq=0x00013dcd replay=0 flags=0x00000040 state=mature
created: Jan 7 06:01:15 2006 current: Jan 7 06:54:52 2006
diff: 3217(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=13 pid=17002 refcnt=3
192.168.1.9 192.168.1.41
esp mode=transport spi=67905(0x00010941) reqid=0(0x00000000)
E: 3des-cbc dda02628 3c181562 175f3914 45f65dc4 025bc3d0 7ffa7065
A: hmac-sha1 ad8ccdac b2cc18d4 2dcc2076 231ce150 89a89eb1
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Jan 7 06:01:15 2006 current: Jan 7 06:54:52 2006
diff: 3217(s) hard: 0(s) soft: 0(s)
last: Jan 7 06:54:10 2006 hard: 0(s) soft: 0(s)
current: 3179628(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 44920 hard: 0 soft: 0
sadb_seq=12 pid=17002 refcnt=1
On the OpenBSD machine,
# ipsecadm show
sadb_dump: satype esp vers 2 len 26 seq 0 pid 0
sa: spi 0x00010941 auth hmac-sha1 enc 3des-cbc
state mature replay 0 flags 0
lifetime_cur: alloc 0 bytes 1935132 add 1136640495 first 1136640561
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1136643075
address_src: 192.168.1.9
address_dst: 192.168.1.41
key_auth: bits 160: ad8ccdacb2cc18d42dcc2076231ce15089a89eb1
key_encrypt: bits 192:
dda026283c181562175f391445f65dc4025bc3d07ffa7065
sadb_dump: satype esp vers 2 len 26 seq 0 pid 0
sa: spi 0x00014109 auth hmac-sha1 enc 3des-cbc
state mature replay 0 flags 0
lifetime_cur: alloc 0 bytes 106382888 add 1136640495 first 1136640561
x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1136643071
address_src: 192.168.1.41
address_dst: 192.168.1.9
key_auth: bits 160: ad8ccdacb2cc18d42dcc2076231ce15089a89eb1
key_encrypt: bits 192:
dda026283c181562175f391445f65dc4025bc3d07ffa7065
OpenBSD netstat -sn shows:
esp:
78755 input ESP packets
42322 output ESP packets
0 packets from unsupported protocol families
0 packets shorter than header shows
0 packets dropped due to policy
0 packets for which no TDB was found
0 input packets that failed to be processed
0 packets with bad encryption received
82 packets that failed verification received
0 packets for which no XFORM was set in TDB received
0 packets were dropped due to full output queue
0 packets where counter wrapping was detected
0 possibly replayed packets received
0 packets with bad payload size or padding received
0 packets attempted to use an invalid TDB
0 packets got larger than max IP packet size
0 packets that failed crypto processing
0 input UDP encapsulated ESP packets
0 output UDP encapsulated ESP packets
0 UDP packets for non-encapsulating TDB received
106374024 input bytes
1933980 output bytes
Setting up the SA with rijndael-cbc and hmac-sha1 with FAST_IPSEC works. In
this case the hmac-sha1 should be performed in hardware and the encryption in
software.
Suggestions?
--
John R. Shannon
john@johnrshannon.com
john.r.shannon@saic.com
john.r.shannon@us.army.mil
shannonjr@NetBSD.org