Re: [CryptoAPI-devel] Re: [Design] [PATCH] USAGI IPsec

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sandy Harris <sandy@storm.ca>
To: Herbert Valerio Riedel <hvr@hvrlab.org>
Cc: "David S. Miller" <davem@rth.ninka.net>,
	Mitsuru KANDA <mk@linux-ipv6.org>,
	linux-kernel@vger.kernel.org, netdev@oss.sgi.com,
	cryptoapi-devel@kerneli.org, design@lists.freeswan.org,
	usagi@linux-ipv6.org
Subject: Re: [CryptoAPI-devel] Re: [Design] [PATCH] USAGI IPsec
Date: Mon, 21 Oct 2002 19:27:07 -0700	[thread overview]
Message-ID: <3DB4B77B.90607@storm.ca> (raw)
In-Reply-To: 1035185654.21824.11.camel@janus.txd.hvrlab.org

Herbert Valerio Riedel wrote:

>On Mon, 2002-10-21 at 04:41, David S. Miller wrote:
>
>  
>
>>A completely new CryptoAPI subsystem has been implemented so that
>>full lists of page vectors can be passed into the ciphers, which is
>>necessary for a clean IPSEC implementation.
>>    
>>
>
>oh... nice to learn about your plans (so late) at all ;-)
>
>well, it would be cool if you'd cooperate (or at least share
>information) with us (the official cryptoapi project ;-), as we're open
>for the design requirements of the next generation cryptoapi...
>
>...otherwise this may render the kerneli.org/cryptoapi effort completely
>useless :-/ ...of course, if it's your long term goal to take the
>cryptoapi development away from kerneli.org, I'd like to know too ;-)
>
>regards,
>  
>
I think the long term goal should be to get good crypto, at least IPsec 
and disk encryption,
into the mainline, standard Linux kernel. Also ipv6 support. Projects 
like FreeS/WAN, USAGI
and cryptoapi seem necessary for getting the work done in the first 
place, but eventually you
want to do away with patch sets and just have all the good stuff built 
in to the kernel.

One payoff is integration. As I understand it, a current fully-patched 
kernel has either MD-5
or SHA-1 in the /dev/random driver, both in FreeS/WAN, and possibly both 
of those plus a
few other hashes in the CryptoAPI stuff. This is silly. The obvious fix 
is for everyone to use
the CryptoAPI hashes and ciphers.

However, crypto is a special case. The US government (among others) has 
a long history
of  restricting it and, much as we would like to see good crypto in the 
standard kernel,
there's a good case for being very careful to keep code out of their 
clutches.

My suggestion would be that the standard kernel incorporate only one 
good hash
and one good cipher, specifically AES and SHA-256 since (last I looked) 
those
were en route to becoming requirements for IPsec. Let the FreeS/WAN and
CryptoAPI folk -- outside the US -- maintain the other ciphers and 
hashes. That
way we have a fallback position if the US goes back to being viciously 
restrictive.

next prev parent reply	other threads:[~2002-10-22  2:27 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-11  8:05 [PATCH] USAGI IPsec Mitsuru KANDA
2002-10-21 14:46 ` [Design] " Sandy Harris
2002-10-21  2:41   ` David S. Miller
2002-10-21  3:42     ` YOSHIFUJI Hideaki / 吉藤英明
2002-10-21  7:34     ` [CryptoAPI-devel] " Herbert Valerio Riedel
2002-10-22  2:27       ` Sandy Harris [this message]
2002-10-22  5:02       ` Jari Ruusu
2002-10-24 14:50         ` Jean-Luc Cooke
2002-10-28 13:55           ` JuanJo Ciarlante
2002-10-21  4:22   ` Andre Hedrick

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3DB4B77B.90607@storm.ca \
    --to=sandy@storm.ca \
    --cc=cryptoapi-devel@kerneli.org \
    --cc=davem@rth.ninka.net \
    --cc=design@lists.freeswan.org \
    --cc=hvr@hvrlab.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mk@linux-ipv6.org \
    --cc=netdev@oss.sgi.com \
    --cc=usagi@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).