Re: [Ocf-linux-users] Regarding ocf for ipsec

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jivin Manish RATHI lays it down ...
> Hi,
> Patch I found for linux KLIPS Openswan doesn't look to be applicable to
> latest 2.6.24 kernel.

Go to:
	http://sourceforge.net/project/showfiles.php?group_id=133575

and download

   	ocf-linux-26-20080704.patch.gz

take a stock linux-2.6.24 (or 25) and extract:

	cd linux-2.6.24
	gunzip < ocf-linux-26-20080704.patch.gz | patch -p1

The previous OCF release (20071215) has a patch for 2.6.23.
Either way,  I know it's supported because I am running it :-)

> It's big change and I am not sure about its stability.

The patch is big because it includes all of OCF so that you do not need
to do anything else.  I have had some reports that you may need to fix a
couple of things after applying the patch but I have no details to help
you with on that.

> Has anybody used it over 2.6.24?

Anyone other than me :-)

> Can I use crptodev with linux kernel crypto framework so that I use
> openssl+cryptodev + linux crypto? Is there any patch available?

No and not that I know of.

> I am still not able to appreciate why linux kernel crypto framework not able
> to provide async APIs as OCF is providing.

Read the linux-crypto or the older cryptodev mailing list archives,  it
may help,

Cheers.
Davidm

> -----Original Message-----
> From: David McCullough [mailto:Dav...@se...] 
> Sent: Thursday, July 10, 2008 4:41 AM
> To: Manish RATHI
> Cc: ocf...@li...
> Subject: Re: [Ocf-linux-users] Regarding ocf for ipsec
> 
> 
> Jivin Manish RATHI lays it down ...
> > Hi,
> >  ipsec in vannila linux kernel uses linux kernel crypto not OCF framework?
> 
> yes.
> 
> > I am using OCF driver  for crypto acceleration to be used with openssl
> engine.
> > 
> > Currently ipsec uses linux kernel crypto framework. So I've to write 2 
> > drivers
> 
> You could use the openswan KLIPS stack in the kernel instead.
> 
> > 1) kernel crypto driver
> > 2) OCF driver
> > 
> > I'd like to use single driver that can be used with OpenSSL/OCF and Linux
> kernel crypto.
> > 
> > Is there any stable patch available for ipsec in latest linux kernel so
> that it uses OCF?
> 
> No.  The linux kernel is doing it's own async crypto but I am not sure which
> kernel is is/will appear in and how stable it is.
> 
> > Why OCF is not used in linux kernel for ipsec?
> 
> One reason is licensing (OCF is BSD license).
> 
> > I've read that current
> > ipsec doesn't uses Bottom half so async API framework such as OCF is 
> > not required.  Is it correct?
> 
> An async api is required,  but previously the stack counld not handle it.
> Work is being done in the space by the linux crypto guys.
> 
> > What are the pros and cons of using OCF with ipsec? 
> 
> It goes faster,  you have to patch your kernel,
> 
> Cheers,
> Davidm
> 
> -- 
> David McCullough,  dav...@se...,   Ph:+61 734352815
> Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com
> 

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com