Implementing draftsendipsec and CGA on Linux

1
Implementing draft-send-ipsec and CGA on Linux

• Jonathan Wood
• DoCoMo Labs USA

2
Linux Implementation Findings

• Implementation investigation of
  draft-ietf-send-ipsec-01.txt on Linux 2.5.x
• Linux 2.5.x has IPSec for IPv4 and IPv6
• Focus on efficiency and modularity
• Conforms to RFCs 2401, 2402, 2406

3
Major Impact on IPsec Fastpath

• Packet processing happens in interrupt context
• SEND requires tasks like RSA, ASN.1, cert chain
  retrieval and processing
• May not suitable for interrupt context
• During AH or ext header processing, hard to
  offload these tasks to kernel thread or userspace
  and resume processing later

4
Major Impact on Transform Interface

• AH_RSA_Sig transform has different semantics than
  other transforms
• Existing transform interface is not sufficient
• Would need to add new interfaces for AH_RSA_Sig
  tranform
• Bottom Line From implementors standpoint, no
  work saved by using IPSec

5
CGA Implementation Findings

• As specified, OK for kernel use
• Need specialized ASN.1 parser (as suggested by
  Pekka) - but may lose extensibility
• Address generation performance (parallelized
  algorithm)
• P4, UP, 1.7GHz 130000 iterations/sec
• Sec 1 .5 seconds
• Sec 2 9.1 hours
• Xeon, dual 2.4 GHz 512000 iterations/sec
• Sec 1 .125 seconds
• Sec 2 2.3 hours

6
Summary

• IPsec design privileges a particular
  implementation that is not well suited for public
  key algorithms.
• Implementing SEND with AH would require major
  restructuring of kernel interfaces and code fast
  paths.
• CGA implementation results
• Requires specialized ASN.1 parser.
• Efficient implementation possible.