diff options
| author | sam <sam@FreeBSD.org> | 2002-10-16 02:10:08 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2002-10-16 02:10:08 +0000 |
| commit | f6bdcf8ff2c152663769d4f1bcdb9872cdcb5453 (patch) | |
| tree | a72213e1c49c93624cf054580ee4bc74717a7228 /sys/netipsec/esp_var.h | |
| parent | 92baaff27422749fe3e0b54cb403b84342c91f30 (diff) | |
| download | FreeBSD-src-f6bdcf8ff2c152663769d4f1bcdb9872cdcb5453.zip FreeBSD-src-f6bdcf8ff2c152663769d4f1bcdb9872cdcb5453.tar.gz | |
"Fast IPsec": this is an experimental IPsec implementation that is derived
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd. A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated. Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).
Note that this implementation is enabled with a FAST_IPSEC option. With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.
FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.
This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments). This software
does NOT currently support IPv6. In fact do not configure FAST_IPSEC and
INET6 in the same system.
Obtained from: KAME + openbsd
Supported by: Vernier Networks
Diffstat (limited to 'sys/netipsec/esp_var.h')
| -rw-r--r-- | sys/netipsec/esp_var.h | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/sys/netipsec/esp_var.h b/sys/netipsec/esp_var.h new file mode 100644 index 0000000..22cf3aa --- /dev/null +++ b/sys/netipsec/esp_var.h @@ -0,0 +1,78 @@ +/* $FreeBSD$ */ +/* $OpenBSD: ip_esp.h,v 1.37 2002/06/09 16:26:10 itojun Exp $ */ +/* + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). + * + * The original version of this code was written by John Ioannidis + * for BSD/OS in Athens, Greece, in November 1995. + * + * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Additional features in 1999 by Angelos D. Keromytis. + * + * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, + * Angelos D. Keromytis and Niels Provos. + * Copyright (c) 2001 Angelos D. Keromytis. + * + * Permission to use, copy, and modify this software with or without fee + * is hereby granted, provided that this entire notice is included in + * all copies of any software which is or includes a copy or + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#ifndef _NETIPSEC_ESP_VAR_H_ +#define _NETIPSEC_ESP_VAR_H_ + +/* + * These define the algorithm indices into the histogram. They're + * presently based on the PF_KEY v2 protocol values which is bogus; + * they should be decoupled from the protocol at which time we can + * pack them and reduce the size of the array to a reasonable value. + */ +#define ESP_ALG_MAX 256 /* NB: could be < but skipjack is 249 */ + +struct espstat { + u_int32_t esps_hdrops; /* Packet shorter than header shows */ + u_int32_t esps_nopf; /* Protocol family not supported */ + u_int32_t esps_notdb; + u_int32_t esps_badkcr; + u_int32_t esps_qfull; + u_int32_t esps_noxform; + u_int32_t esps_badilen; + u_int32_t esps_wrap; /* Replay counter wrapped around */ + u_int32_t esps_badenc; /* Bad encryption detected */ + u_int32_t esps_badauth; /* Only valid for transforms with auth */ + u_int32_t esps_replay; /* Possible packet replay detected */ + u_int32_t esps_input; /* Input ESP packets */ + u_int32_t esps_output; /* Output ESP packets */ + u_int32_t esps_invalid; /* Trying to use an invalid TDB */ + u_int64_t esps_ibytes; /* Input bytes */ + u_int64_t esps_obytes; /* Output bytes */ + u_int32_t esps_toobig; /* Packet got larger than IP_MAXPACKET */ + u_int32_t esps_pdrops; /* Packet blocked due to policy */ + u_int32_t esps_crypto; /* Crypto processing failure */ + u_int32_t esps_tunnel; /* Tunnel sanity check failure */ + u_int32_t esps_hist[ESP_ALG_MAX]; /* Per-algorithm op count */ +}; + +#ifdef _KERNEL +extern int esp_enable; +extern struct espstat espstat; +#endif /* _KERNEL */ +#endif /*_NETIPSEC_ESP_VAR_H_*/ |
