| version 1.86, 2001/06/26 11:46:14 |
version 1.87, 2001/06/27 11:51:21 |
|
|
| |
|
| |
|
| <img align=right src="images/vpnc-test-partner.gif"> |
<img align=right src="images/vpnc-test-partner.gif"> |
| OpenBSD was the first operating system to ship with an IPSEC stack. |
OpenBSD was the first operating system to ship with an IPsec stack. |
| We've been including IPSEC since early OpenBSD 2.1 release in 1997. |
We've been including IPsec since early OpenBSD 2.1 release in 1997. |
| Our fully conformant in-kernel IPSEC stack, with hardware acceleration |
Our fully conformant in-kernel IPsec stack, with hardware acceleration |
| based on a number of cards, and our own free ISAKMP daemon, is used as |
based on a number of cards, and our own free ISAKMP daemon, is used as |
| one of the machines in the IPSEC conformance testbed run by |
one of the machines in the IPsec conformance testbed run by |
| <a href="http://www.vpnc.org">VPNC</a>. |
<a href="http://www.vpnc.org">VPNC</a>. |
| <br clear=all> |
<br clear=all> |
| <p> |
<p> |
|
|
| <li>Stronger temporary names for mktemp(3) and mkstemp(3) |
<li>Stronger temporary names for mktemp(3) and mkstemp(3) |
| <li>Randomness added to the TCP ISS value for protection against |
<li>Randomness added to the TCP ISS value for protection against |
| spoofing attacks. |
spoofing attacks. |
| <li>random padding in IPSEC esp_old packets. |
<li>random padding in IPsec esp_old packets. |
| <li>To generate salts for the various password algorithms. |
<li>To generate salts for the various password algorithms. |
| <li>For generating fake S/Key challenges. |
<li>For generating fake S/Key challenges. |
| <li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
|
|
| <ul> |
<ul> |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>S/Key</a> |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=skey>S/Key</a> |
| to provide one time passwords. |
to provide one time passwords. |
| <li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPSEC</a>, |
<li>In <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a>, |
| <a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
<a href=http://www.physnet.uni-hamburg.de/provos/photuris/>photurisd</a> |
| and |
and |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd(8)</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd(8)</a> |
|
|
| passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
passwords. See also the <a href="papers/bcrypt-paper.ps">USENIX paper</a> |
| on this topic. |
on this topic. |
| <li>In |
<li>In |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPSEC</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec>IPsec</a> |
| to provide confidentiality for the network layer. |
to provide confidentiality for the network layer. |
| <li>In Kerberos and a handful of kerberized applications, like |
<li>In Kerberos and a handful of kerberized applications, like |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=telnet>telnet</a>, |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=telnet>telnet</a>, |
|
|
| <li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/> |
<li>In <a href=http://www.physnet.uni-hamburg.de/provos/photuris/> |
| photurisd</a> and |
photurisd</a> and |
| <a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
<a href=http://www.openbsd.org/cgi-bin/man.cgi?query=isakmpd>isakmpd</a> |
| to protect the exchanges where IPSEC key material is negotiated. |
to protect the exchanges where IPsec key material is negotiated. |
| <li>In AFS to protect the messages passing over the network, providing |
<li>In AFS to protect the messages passing over the network, providing |
| confidentiality of remote filesystem access. |
confidentiality of remote filesystem access. |
| <li>In libssl to let applications communicate over the de-facto standard |
<li>In libssl to let applications communicate over the de-facto standard |
|
|
| OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
OpenBSD, starting with 2.7, has begun supporting some cryptography hardware |
| such as accelerators and random number generators. |
such as accelerators and random number generators. |
| <ul> |
<ul> |
| <li><b>IPSEC crypto dequeue</b><br> |
<li><b>IPsec crypto dequeue</b><br> |
| Our IPSEC stack has been modified so that cryptographic functions get |
Our IPsec stack has been modified so that cryptographic functions get |
| done out-of-line. Most simple software IPSEC stacks need to do |
done out-of-line. Most simple software IPsec stacks need to do |
| cryptography when processing each packet. This results in synchronous |
cryptography when processing each packet. This results in synchronous |
| performance. To use hardware properly and speedily one needs to separate |
performance. To use hardware properly and speedily one needs to separate |
| these two components, as we have done. Actually, doing this gains some |
these two components, as we have done. Actually, doing this gains some |
|
|
| stable. We wrote our own driver for supporting this chip, rather |
stable. We wrote our own driver for supporting this chip, rather |
| than using the (USA-written) |
than using the (USA-written) |
| <a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
<a href="http://www.powercrypt.com">powercrypt</a> driver, as well |
| our driver links in properly to the IPSEC stack. |
our driver links in properly to the IPsec stack. |
| The 7751 is now considered slow by industry standards and many vendors |
The 7751 is now considered slow by industry standards and many vendors |
| have faster chips (even HiFn now has a faster but more expensive |
have faster chips (even HiFn now has a faster but more expensive |
| chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. |
|
|
| has now been integrated once we were able to get a free license on the |
has now been integrated once we were able to get a free license on the |
| microcode. We have also received (all?) the information needed for |
microcode. We have also received (all?) the information needed for |
| supporting the cryptographic functions, which will require a little bit of |
supporting the cryptographic functions, which will require a little bit of |
| IPSEC subsystem rearranging. Check back later.. |
IPsec subsystem rearranging. Check back later.. |
| <p> |
<p> |
| |
|
| <li><b>Intel IPSEC card</b><br> |
<li><b>Intel IPsec card</b><br> |
| Much like Intel does for all their networking division components, and |
Much like Intel does for all their networking division components, and |
| completely unlike most other vendors, Intel steadfastly refuse to provide |
completely unlike most other vendors, Intel steadfastly refuse to provide |
| us with documentation. We have talked to about five technical people who |
us with documentation. We have talked to about five technical people who |
|
|
| <li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
<li><b><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pchb&sektion=4"> |
| Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
Intel 82802AB/82802AC Firmware Hub RNG</a></b><br> |
| The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) |
| contains a random number generator (RNG). High-performance IPSEC |
contains a random number generator (RNG). High-performance IPsec |
| requires more random number entropy. As of April 10, 2000, we support |
requires more random number entropy. As of April 10, 2000, we support |
| the RNG. We will add support for other RNG's found on crypto chips. |
the RNG. We will add support for other RNG's found on crypto chips. |
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to crypto.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www