tech-net: Re: Soc : FAST_IPSEC integration for ipv6

Subject: Re: Soc : FAST_IPSEC integration for ipv6
To: DEGROOTE Arnaud <degroote@enseirb.fr>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 05/02/2006 09:57:02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "DEGROOTE" == DEGROOTE Arnaud <degroote@enseirb.fr> writes:
    >> Set up two KAME IPv6 IPSEC peers. Configure static-keyed SAs (to avoid
    >> IKE) between them. Then, replace one KAME IPsec peer with a FAST_IPSEC
    >> peer, preserving the IP address and KAME IPsec configuration.  Then
    >> you can start implmeenting and debugging the IPv6 IPsec receive path,
    >> using ping6 to generate traffic.
    >> 

    DEGROOTE> It is not far from my first idea ( at least for the
    DEGROOTE> configuration ). Do you think I can work with some domU ?

  Does Xen give you any better KDB/KGDB interface?
  With Linux hypervisor, serial console was fooked for guests. Can GDB
talk to "xm console"?

  Use whatever you can get serial console and serial kgdb setup for.

    >> * Good skills with BSD kernel debugging.
    >> 
    >> * Lots and lots and *lots* of patience. (Debugging  mis-processing
    >> of encrypted traffic is extremely frustrating; until *everything*
    >> works correctly, all you get is junk).

    DEGROOTE> Ok I'am your man so : I have tons of patience :D

  It helps to be able to single step through the transmitting code, so
that you can match things.  You need to be able to dump buffers that are
going into the hmac-sha1 routines so that you can compare things.
  It's also seriously worth it if you can build a user-space unit test.

  (c.f. Perry's Quality discussion)

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

    "The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRFdlLICLcPvd0N1lAQKGVAf/RZvtuJazvus433VFpYV3gJu5yhEuCLg5
NhrHCuYB8YaFcLKtCw8FriBkZ7tyjWm1LxfuKuqbOpqiZPpm0mSPOswsveVEQM5d
AVVEt+CsmKo3a9Phg4BYmCQq/DyrLsRhZ7USJr8q7bb2Ne+92E3BDrwGxG++X3fE
F3KC0P+s0RsZNfRJ4RRvmwnhkYdLpZMSLttsmGq2/82lVNtqn6rin627QQEeof0x
pOpScwC9hsIf0ojKv+4oRsnrktuTwqX6oFwwRBS8Ak1IxtQVlzhwCr3I9ABQP7jF
yfsOhq9j/S9iTlfsb/myU/LHGtnbu1xuhImMAHUGUqDprRvTR/Rw2Q==
=qqeu
-----END PGP SIGNATURE-----