From: Aidas Kasparas <a.kasparas@gmc.lt>
To: Alaa Dalghan <alaadalghan@hotmail.com>
Cc: linux-security-module@mail.wirex.com, linux-crypto@nl.linux.org,
linux-net@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: Modifying Cryptography Code
Date: Tue, 06 Sep 2005 18:24:42 +0300 [thread overview]
Message-ID: <431DB4BA.7040905@gmc.lt> (raw)
In-Reply-To: <BAY106-F336464E0C97EA44289AA87ABA70@phx.gbl>
Alaa Dalghan wrote:
> imposes too much processing overhead on the linux VPN gateway. The
> required behavior is that the VPN gateway just RELAYS encrypted data
> (ESP envelopes) without decrypting them. This is impossible in the
> current ipsec implementation since"the end of a tunnel HAS ALWAYS to be
> decrypted".
>
That can work only in case when you set esp's encryption keys manually
and the same on all 30 your clients. Also, SPIs should be the same. I
would not call such setup secure.
Better way is to put all these clients into single subnet and configure
them to require transport mode esp transformation in that subnet +
employ automatic keying and auth by certs. And required subset of these
scarry 900 tunnels will set up automatically. [Don't ask me how to
configure this setup in windows -- I don't know].
> I hope that someone can help me with finding this portion of the code
> and modify it. By the way I searched in the kernel file "esp4.c" but
> can't seem to find what I want.
Check xfrm*.c files, also net/xfrm directory.
--
Aidas Kasparas
IT administrator
GM Consult Group, UAB
next prev parent reply other threads:[~2005-09-06 15:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-06 13:56 Modifying Cryptography Code Alaa Dalghan
2005-09-06 15:24 ` Martijn van Oosterhout
2005-09-06 15:24 ` Aidas Kasparas [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-09-06 12:38 Modifying Cryptography code Alaa Dalghan
2005-09-06 15:51 ` Kyle Moffett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=431DB4BA.7040905@gmc.lt \
--to=a.kasparas@gmc.lt \
--cc=alaadalghan@hotmail.com \
--cc=linux-crypto@nl.linux.org \
--cc=linux-net@vger.kernel.org \
--cc=linux-security-module@mail.wirex.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.