version 1.86, 2001/06/26 11:46:14 |
version 1.87, 2001/06/27 11:51:21 |
|
|
|
|
|
|
<img align=right src="images/vpnc-test-partner.gif"> |
<img align=right src="images/vpnc-test-partner.gif"> |
OpenBSD was the first operating system to ship with an IPSEC stack. |
OpenBSD was the first operating system to ship with an IPsec stack. |
We've been including IPSEC since early OpenBSD 2.1 release in 1997. |
We've been including IPsec since early OpenBSD 2.1 release in 1997. |
Our fully conformant in-kernel IPSEC stack, with hardware acceleration |
Our fully conformant in-kernel IPsec stack, with hardware acceleration |
based on a number of cards, and our own free ISAKMP daemon, is used as |
based on a number of cards, and our own free ISAKMP daemon, is used as |
one of the machines in the IPSEC conformance testbed run by |
one of the machines in the IPsec conformance testbed run by |
<a href="http://www.vpnc.org">VPNC</a>. |
<a href="http://www.vpnc.org">VPNC</a>. |
<br clear=all> |
<br clear=all> |
<p> |
<p> |
|
|
<li>Stronger temporary names for mktemp(3) and mkstemp(3) |
<li>Stronger temporary names for mktemp(3) and mkstemp(3) |
<li>Randomness added to the TCP ISS value for protection against |
<li>Randomness added to the TCP ISS value for protection against |
spoofing attacks. |
spoofing attacks. |
<li>random padding in IPSEC esp_old packets. |
<li>random padding in IPsec esp_old packets. |
<li>To generate salts for the various password algorithms. |
<li>To generate salts for the various password algorithms. |
<li>For generating fake S/Key challenges. |
<li>For generating fake S/Key challenges. |
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
|
|
<ul> |
<ul> |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>S/Key</a> |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>S/Key</a> |
to provide one time passwords. |
to provide one time passwords. |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPSEC</a>, |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a>, |
<a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
<a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
and |
and |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd(8)</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd(8)</a> |
|
|
passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
on this topic. |
on this topic. |
<li>In |
<li>In |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPSEC</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a> |
to provide confidentiality for the network layer. |
to provide confidentiality for the network layer. |
<li>In Kerberos and a handful of kerberized applications, like |
<li>In Kerberos and a handful of kerberized applications, like |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=telnet>telnet</a>, |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=telnet>telnet</a>, |
|
|
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/> |
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/> |
photurisd</a> and |
photurisd</a> and |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
to protect the exchanges where IPSEC key material is negotiated. |
to protect the exchanges where IPsec key material is negotiated. |
<li>In AFS to protect the messages passing over the network, providing |
<li>In AFS to protect the messages passing over the network, providing |
confidentiality of remote filesystem access. |
confidentiality of remote filesystem access. |
<li>In libssl to let applications communicate over the de-facto standard |
<li>In libssl to let applications communicate over the de-facto standard |
|
|
OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
such as accelerators and random number generators. |
such as accelerators and random number generators. |
<ul> |
<ul> |
<li><b>IPSEC crypto dequeue</b><br> |
<li><b>IPsec crypto dequeue</b><br> |
Our IPSEC stack has been modified so that cryptographic functions get |
Our IPsec stack has been modified so that cryptographic functions get |
done out-of-line. Most simple software IPSEC stacks need to do |
done out-of-line. Most simple software IPsec stacks need to do |
cryptography when processing each packet. This results in synchronous |
cryptography when processing each packet. This results in synchronous |
performance. To use hardware properly and speedily one needs to separate |
performance. To use hardware properly and speedily one needs to separate |
these two components, as we have done. Actually, doing this gains some |
these two components, as we have done. Actually, doing this gains some |
|
|
stable. We wrote our own driver for supporting this chip, rather |
stable. We wrote our own driver for supporting this chip, rather |
than using the (USA-written) |
than using the (USA-written) |
<a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
<a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
our driver links in properly to the IPSEC stack. |
our driver links in properly to the IPsec stack. |
The 7751 is now considered slow by industry standards and many vendors |
The 7751 is now considered slow by industry standards and many vendors |
have faster chips (even HiFn now has a faster but more expensive |
have faster chips (even HiFn now has a faster but more expensive |
chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
|
|
has now been integrated once we were able to get a free license on the |
has now been integrated once we were able to get a free license on the |
microcode. We have also received (all?) the information needed for |
microcode. We have also received (all?) the information needed for |
supporting the cryptographic functions, which will require a little bit of |
supporting the cryptographic functions, which will require a little bit of |
IPSEC subsystem rearranging. Check back later.. |
IPsec subsystem rearranging. Check back later.. |
<p> |
<p> |
|
|
<li><b>Intel IPSEC card</b><br> |
<li><b>Intel IPsec card</b><br> |
Much like Intel does for all their networking division components, and |
Much like Intel does for all their networking division components, and |
completely unlike most other vendors, Intel steadfastly refuse to provide |
completely unlike most other vendors, Intel steadfastly refuse to provide |
us with documentation. We have talked to about five technical people who |
us with documentation. We have talked to about five technical people who |
|
|
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
contains a random number generator (RNG). High-performance IPSEC |
contains a random number generator (RNG). High-performance IPsec |
requires more random number entropy. As of April 10, 2000, we support |
requires more random number entropy. As of April 10, 2000, we support |
the RNG. We will add support for other RNG's found on crypto chips. |
the RNG. We will add support for other RNG's found on crypto chips. |
<p> |
<p> |