[Swan] NetKey vs KLIPS
Paul Wouters
paul at nohats.ca
Thu Sep 11 18:43:57 EEST 2014
On Thu, 11 Sep 2014, Thomas Geulig wrote:
> Subject: Re: [Swan] NetKey vs KLIPS
>
> Am 11.09.2014 um 17:04 schrieb Lennart Sorensen:
>> Certainly simple with netkey. Also netkey can use the kernel crypto
>> drivers for hardware crypto which I don't think klips can.
>
> KLIPS is able to use the kernel crypto drivers and other crypto hardware
> modules via OCF (see Paul's mail).
There are some "native" crypto hardware drivers in the kernel, but I
believe it is missing the cards deployed by many vendors (HiFn, safenet,
intel). But I have not looked at the current state for netkey and those
drivers in a while.
> We still use KLIPS, and I will assist with necessary patches for the
> foreseeable future.
Great! Of course, the libreswan test suite uses both stacks but still
has a lot more KLIPS tests than NETKEY tests.
What would be useful for KLIPS would be to add the glue needed for some
of the newer cryptoapi ciphers (sha2, aes_gcm, aes_ctr, camellia).
Without those, devices using KLIPS won't pass some USG requirements.
We haven't had the time/priority to add those yet, but would of course
welcome any patches :)
Paul
More information about the Swan
mailing list