[Swan] NetKey vs KLIPS

Paul Wouters paul at nohats.ca
Thu Sep 11 18:43:57 EEST 2014


On Thu, 11 Sep 2014, Thomas Geulig wrote:

> Subject: Re: [Swan] NetKey vs KLIPS
> 
> Am 11.09.2014 um 17:04 schrieb Lennart Sorensen:
>> Certainly simple with netkey.  Also netkey can use the kernel crypto
>> drivers for hardware crypto which I don't think klips can.
>
> KLIPS is able to use the kernel crypto drivers and other crypto hardware 
> modules via OCF (see Paul's mail).

There are some "native" crypto hardware drivers in the kernel, but I
believe it is missing the cards deployed by many vendors (HiFn, safenet,
intel). But I have not looked at the current state for netkey and those
drivers in a while.

> We still use KLIPS, and I will assist with necessary patches for the 
> foreseeable future.

Great! Of course, the libreswan test suite uses both stacks but still
has a lot more KLIPS tests than NETKEY tests.

What would be useful for KLIPS would be to add the glue needed for some
of the newer cryptoapi ciphers (sha2, aes_gcm, aes_ctr, camellia).
Without those, devices using KLIPS won't pass some USG requirements.

We haven't had the time/priority to add those yet, but would of course
welcome any patches :)

Paul


More information about the Swan mailing list