Subject: Re: Soc : FAST_IPSEC integration for ipv6
To: DEGROOTE Arnaud <>
From: Michael Richardson <>
List: tech-net
Date: 05/02/2006 09:57:02
Hash: SHA1

>>>>> "DEGROOTE" == DEGROOTE Arnaud <> writes:
    >> Set up two KAME IPv6 IPSEC peers. Configure static-keyed SAs (to avoid
    >> IKE) between them. Then, replace one KAME IPsec peer with a FAST_IPSEC
    >> peer, preserving the IP address and KAME IPsec configuration.  Then
    >> you can start implmeenting and debugging the IPv6 IPsec receive path,
    >> using ping6 to generate traffic.

    DEGROOTE> It is not far from my first idea ( at least for the
    DEGROOTE> configuration ). Do you think I can work with some domU ?

  Does Xen give you any better KDB/KGDB interface?
  With Linux hypervisor, serial console was fooked for guests. Can GDB
talk to "xm console"?

  Use whatever you can get serial console and serial kgdb setup for.

    >> * Good skills with BSD kernel debugging.
    >> * Lots and lots and *lots* of patience. (Debugging  mis-processing
    >> of encrypted traffic is extremely frustrating; until *everything*
    >> works correctly, all you get is junk).

    DEGROOTE> Ok I'am your man so : I have tons of patience :D

  It helps to be able to single step through the transmitting code, so
that you can match things.  You need to be able to dump buffers that are
going into the hmac-sha1 routines so that you can compare things.
  It's also seriously worth it if you can build a user-space unit test.

  (c.f. Perry's Quality discussion)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

    "The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr

Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys