Static IPsec (via setkey) and -A aes-xcbc-mac, how to?
Peter G.
freebsd at disroot.org
Mon Nov 27 15:58:05 UTC 2017
On 27/11/2017 06:15, Peter G. wrote:
> Hi, can somebody please show me the correct syntax of setting static SA
> with aes-xcbc-mac authentication? I checked rfc3566, my "base"
> encryption algo is aes-128, aes-xcbc-mac is supposed to work with a
> 128-bit (16 characters) long key. I don't seem to be able to set it up,
> though.
>
> Example (aes-cbc 128bit + supposedly aes-xcbc-mac):
>
> add 10.10.1.1 10.10.2.2 esp 400 -m transport -u 400 -E rijndael-cbc
> "abcdefghijklmnop" -A aes-xcbc-mac "1234567890123456";
>
> ends up in an error:
>
> line 5: Not supported at [1234567890123456]
> parse failed, line 5.
>
> The same syntax and appropriate key length work with anything else, e.g.
> hmac-sha2-256 with 32 character long key works just fine.
>
Oh, I am on 11.1.
I've found two docs which clearly make this possible:
Firstly, a blog entry in Japanese:
https://moimoitei.blogspot.com/2009/10/measure-ipsec-throughput.html
Secondly, some company's paper on some of their tech (not really
important), but usage of -E aes-ctr with -A aes-xcbc-mac is listed as an
option, page 20:
http://www.lobaro.com/download/6lowpan/ZWIR45xx_AN_Security_Rev_1_30.pdf
I've also reviewed evolution of aes support for cryptodev, e.g. starting
here: https://reviews.freebsd.org/D2566 and all the source files related
to either setkey (for example sbin/setkey/token.l) or opencrypto in the
sources list or at least note aes-xcbc-mac availability.
Does anybody know how to get this working? Or does this mean there's no
actual kernel support for aes-xcbc-mac?
Thanks!
PG
More information about the freebsd-net
mailing list