Re: NetBSD IP security in practice

To: Erik Fair <fair%netbsd.org@localhost>
Subject: Re: NetBSD IP security in practice
From: hsuenaga%iij.ad.jp@localhost
Date: Wed, 14 Sep 2011 12:24:41 +0900

Hi Erik-san,

I'm using IP security in router product based on NetBSD.

> Who among us is using IP security in practice (production)?
> 
> Are you using it just for VPN/tunneling, or in transport mode?


I'm using it for 

 1. IPsec-VPN (many use cases, simple ESP tunnel)
 2. L2TP-VPN (many use cases, L2TP tunnel + ESP transport)
 3. Secure Logging (sometimes, syslog + ESP transport)

I feel 99% of use cases are tunneling.

> How well does it perform?

I'm using "options IPSEC", it is KAME IPsec implementation.
"options FAST_IPSEC" should be better than KAME.

Interoperability of AH and ESP is fine.

Throughput (bps or pps) is not fine. I think throughput problem
is not caused by IPsec itself, IP stack is slower than other
implementation today. Especially, throughput of NetBSD IP stack
is slower on SMP environment.

I'm using /usr/sbin/racoon (and many local hacks) for key exchange,
but raccoon is too old implementation. There are some newer and
better implementation of IKE. I think replacing old racoon is happy.

> What quirks does it have?

Lookup of SPDB and SADB become slower when using large DB.
If you use many numbers of transport mode IPsec communications,
or concentrate many numbers of VPN tunnels, this may causes troubles.
some LIST_FOREACH() spends very long time.

Workings of phil_run_hook() cause a misunderstanding when using
combination of some tunneling protocol and transport mode IPsec.
Filters don't works for decapsulated(inner) packet. For example,
if you use gif tunnel and transport mode IPsec, filters for gif
may not work. see ipsec.c line 550 for detail. I think reconsiderations
for filtering manners for packets which encapsulated using IPsec.

> How does our documentation stack up? Was it clear enough by itself, or did 
> you have to consult other sources to get IP security to work on NetBSD?


man pages are good enough for programmer's view.
I don't know about documentations for network users.

Thanks,
----------
Internet Initiative Japan Inc.

Product Technology Section,
Product Development Division,
SEIL Business Unit

SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- NetBSD IP security in practice
  - From: Erik Fair

Prev by Date: Re: NetBSD IP security in practice
Next by Date: Re: NetBSD IP security in practice
Previous by Thread: Re: NetBSD IP security in practice
Next by Thread: Re: NetBSD IP security in practice
Indexes:

Home | Main Index | Thread Index | Old Index