1 Modular ALGO support version 0.8.0 for freeswan-1.97.
3 New ESP (Phase2) algos:
4 Encrypt : AES, Twofish, Serpent, Blowfish, CAST
5 Auth: SHA2, SHA1 (asm module), MD5 (asm module).
6 New IKE (Phase1) algos:
7 Encrypt : AES, Twofish, Serpent, Blowfish, CAST
10 (alternative) x509 pluto patch working ok.
12 Tested on linux 2.4.18/i386, 2.4.9-31/i386; 2.2.16/s390 (surprise! :)
14 *** PLEASE read CHANGES.ipsec_alg file for updates ***
16 READMe-ipsec_alg.txt --Juanjo <jjo-ipsec@mendoza.gov.ar> 16/05/02
17 ==================== Linux IP Aliasing creator, IPMASQ 2.2 Maintainer
19 - optimized AES cipher can achieve 2x to 3x speed increase (or CPU unhog),
20 thus converting (see docs/performance.html) CPU=C*25 to
21 CPU [mhz]= C [mbit/s] *10
22 thus, you can almost saturate a 100mbit/s link with 1GHz PIII.
23 - modular ESP ciphers and authenticators patch (generic KLIPS hooks)
24 - ESP encrypt algos: AES, Serpent, Twofish, Blowfish, CAST and 3DES (modl)
25 - ESP auth algos: SHA2, SHA1, MD5, RIPEMD and (experimental) XCBC_MAC_AES
26 - IKE encrypt algos: AES, Twofish, Serpent, Blowfish.
27 - IKE hash algos: SHA2.
28 - x509 coexistance (alternative pluto patch)
29 - interop: patched/stock freeswan, OpenBSD 3.0, FreeBSD-4.5 and SSH Sentinel
30 * PLEASE READ AHEAD (TABLE) *
31 - timing tests support (raw algo speed):
32 modprobe ipsec_aes test=1; dmesg | tail -10
33 modprobe ipsec_3des test=1; dmesg | tail -10
35 . add new IKE algos from ./pluto/alg/*ike_alg*
36 . get informed of new runtime algos available (from kernel SADB_REGISTER)
37 . create P1 proposals from ike= config parameter (eg: ike=aes128-sha)
38 . create proposals from esp= config parameters (eg: esp=aes128-sha1 ) ANDed
39 with kernel algos actually present.
40 . show status about ESP algos (ipsec auto --status | egrep ESP)
41 . show status about IKE algos (ipsec auto --status | egrep IKE)
42 . show ESP and IKE algos for each conn.
43 + ipsec auto --status | egrep algo.*newe
45 . allow manual conns with same algorithm strings as pluto, reads
46 /proc/net/pf_key_supported to validate algorithm "presence" and
47 key sizes (and thus "predict" EINVAL errors).
50 - generalized algo hook for ESP encrypt and auth
51 - ipsec_alg object linked (pointed) from ipsec_sa
52 - truely non-invasive patch
53 - generic ESP algo [un]registration that dispatchs SADB_REGISTER msg
54 with new algos info, which is fully parsed by patched pluto.
55 - loaded modules will "override" stock ones (get linked and called first)
56 - actual WORKING implemented algos:
57 encrypt: AES, Twofish, Serpent, Blowfish, 3DES (discont'd: CAST)
58 auth: SHA2, SHA1, MD5, XCBC_MAC_AES (discont'd: RIPEMD)
60 ************************************************************************
61 Interop TESTS (besides self-to-self)
62 FSW : stock freeswan 1.97
64 FBSD : FreeBSD 4.5 (KAME)
65 SSHs : SSH Sentinel 1.3
67 -------------- ----------------------------------------------------------------
68 #ESP encryption algos:
69 -Algorithm x86asm module-name dotconf interop tests
70 AES y ipsec_aes esp=aes OBSD FBSD SSHs *(3,4)
71 3DES y ipsec_3des esp=3des FSW OBSD FBSD SSHs
72 SERPENT n ipsec_serpent esp=serpent -
73 NULL - ipsec_null esp=null -
74 BLOWFISH y ipsec_blowfish esp=blowfish OBSD FBSD SSHs *(3,5)
75 CAST y ipsec_cast esp=cast OBSD FBSD SSHs *(3,6)
76 TWOFISH n ipsec_twofish esp=twofish -- SSHs
78 #ESP authentication algos:
79 -Algorithm x86asm module-name dotconf interop tests
80 SHA2_256 n ipsec_sha2 esp=<enc>-sha2_256 -
81 SHA2_512 n ipsec_sha2 esp=<enc>-sha2_512 -
82 SHA1 y ipsec_sha1 esp=<enc>-sha1 FSW OBSD FBSD SSHs
83 MD5 y ipsec_md5 esp=<enc>-md5 FSW OBSD FBSD SSHs
84 RIPEMD y ipsec_ripemd esp=<enc>-ripemd OBSD (*1)
85 XCBC_MAC_AES y ipsec_aes esp=<enc>-id9 - (*2)
86 -------------- ---------------------------------------------------------------
87 #IKE encryption algos:
88 -Algorithm x86asm dotconf interop tests
89 AES - ike=aes128 -- FBSD SSHs
90 BLOWFISH - ike=blowfish128 OBSD FBSD SSHs
91 CAST - ike=cast128 OBSD FBSD SSHs (*3)
92 TWOFISH - ike=twofish128 -- -- SSHs
93 3DES - ike=3des ---stock-algo---
96 -Algorithm x86asm dotconf interop tests
97 MD5 - ike=<enc>-md5 ---stock-algo---
98 SHA1 - ike=<enc>-sha ---stock-algo---
99 SHA2_256 - ike=<enc>-sha2_256 -- FBSD --
100 SHA2_512 - ike=<enc>-sha2_512 -- -- -- FBSD/KAME fails
101 -------------- ---------------------------------------------------------------
102 x86-asm : if arch==i586/i686 it uses optimized assembler
103 you can disable with env NO_ASM=1 make ...
105 (*1) only with OBSD as initiatior, fails if passive
106 (*2) experimental (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt), working Ok
107 enable with: "modprobe ipsec_aes auth_id=<n>" and n<=8,
108 I privately test with n=9, and put "esp=aes-id9" in dotconf.
109 (*3) only with SSHs as responder because SSHs makes a proposal with
110 OAKLEY_ENCRYPTION_ALGORITHM=65289.
111 SOLUTION: apply extras/patch-ssh-sentinel-IKE2.diff to allow
112 SSHs originated SAs (it justs make pluto know about 65289),
113 of course, will still negotiate OAKLEY_3DES_CBC.
114 ^^THIS INFO MAYBE OUTDATED^^
116 (*4) for SSHs and FBSD: specify "esp=aes128" in dotconf
117 (*5) for FBSD and OBSD: specify "esp=blowfish128" in dotconf
118 (*6) dis-continued after 0.7.3
121 _Algorithm sources taken from_:
122 OpenSSL : sha1, md5, ripemd, blowfish, cast
124 Crypto-API : twofish, serpent
126 Jari Ruusu : aes (gnu asm), sha2
127 Nigel Metheringham: aes-opt (asm) at libaes.sourceforge.net
128 ************************************************************************
130 Available under GPL at
132 http://www.irrigacion.gov.ar/juanjo/ipsec/
133 http://www.osep.mendoza.gov.ar/juanjo/ipsec/
135 (CA) http://nyetwork.org/ipsec/aes/ OUTDATED
136 (UK) ftp://zeniii.linux.org.uk/pub/linux/crypto/ipsec/
137 (BR) http://ipsecaes.fase.com.br/
139 $Id: README.ipsec_alg,v 1.1 2002-07-15 05:55:20 danield Exp $
OSDN Git Service
