Re: Modifying Cryptography Code

From: Martijn van Oosterhout (kleptog@private)
Date: Tue Sep 06 2005 - 08:24:16 PDT


On Tue, Sep 06, 2005 at 01:56:56PM +0000, Alaa Dalghan wrote:
> Hello everyone,
> I need to modify some CRYPTOGRAPHY code in Linux Kernel to get a specific 
> VPN behavior, but I don't know where to start.

<snip>

> Each packet sent from a given client to the other get processed 4 times 
> (encryption at the sender, decryption at the gateway, encryption at the 
> gateway, decryption at the receiver). This is the normal behavior but it 
> imposes too much processing overhead on the linux VPN gateway. The required 
> behavior is that the VPN gateway just RELAYS encrypted data (ESP envelopes) 
> without decrypting them. This is impossible in the current ipsec 
> implementation since"the end of a tunnel HAS ALWAYS to be decrypted".

Umm, if I understand correctly, unless each tunnel is using the same
keys, the decrypt and reencrypt ends up with *different* data. So
just skipping the decrypt won't work, you'll just end up sending
packets which the other end can't read.

If your using the same keys, perhaps the kernal can see that, I don't
know...

Hope this helps,
-- 
Martijn van Oosterhout   <kleptog@private>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.





This archive was generated by hypermail 2.1.3 : Tue Sep 06 2005 - 12:09:06 PDT