[Ksummit-2013-discuss] [ATTEND] State of the IPsec networking subsystem

Steffen Klassert steffen.klassert at secunet.com
Tue Jul 9 09:51:59 UTC 2013


Hi,

I'am IPsec networking maintainer and maintainer of some networking
and crypro drivers, so I'd like to attend to discuss about the
related topics.

My main topic is the state of the IPsec networking subsystem. The IPsec
subsystem interacts with general networking, the crypto and the security
subsystem, do we meet the requirements for everybody? Is everything
designed and implemented as it should be?

The most important thing for every subsystem is to meet the requirements
of it's users. This means for IPsec to have a secure and reasonable
fast network connection.

Because crypto transformations are quite cpu intensive, it is hard
for IPsec to keep up with the speed of modern network interfaces. It
would be interesting to discuss how far we could exploit the growing
number of cpu cores and NUMA technics to speed up IPsec connections.

A security related topic is the future of the IPsec flow cache. Like the
ipv4 routing cache that we removed recently, the IPsec flow cache is
partly controllable by remote entities and might be open to DoS attacks.
Are there ways to disable the IPsec flow cache without loosing too much
performance? This would require to replace the IPsec policy/state
slow path lookup by a modern lookup algorithm. Currently we use linear
lists for the slow path lookups. What algorithm could be used instead?
Are there algorithms that perform well for policy and state lookups?

Aside from that I'm always open for other networking, crypto and
security related topics as they come up at the conference.

Regards,

Steffen


More information about the Ksummit-2013-discuss mailing list