[Swan] NetKey vs KLIPS

Paul Wouters paul at nohats.ca
Fri Sep 12 05:45:40 EEST 2014


On Thu, 11 Sep 2014, Lennart Sorensen wrote:

> OCF is NOT in linux

http://ocf-linux.sourceforge.net/

It's a module patch against Linux, with more hardware support than
whatever current crypto interface the kernel has.

> Linux has it's own crypto interface

Which one? CryptoAPI? acrypto? or the other one whose name I don't even
know :)

> Perhaps klips could be made to use it.

Yes it can, via OCF cryptosoft. It glues "native" drivers that use
whatever is today's crypto api to OCF, to KLIPS. I've used this to
support the VIA padlock AES and Alixboard i586 AES which has no direct
native OCF driver.

> Of course on many systems doing software crypto
> is often faster than using the hardware crypto, although sometimes you
> want to avoid wasting cpu resources on it if you can.

And especially doing IKE with kernel crypto these days is a waste of
resources and ends up being slower, which is why libreswan removed
HAVE_OCF support for IKE.

Paul


More information about the Swan mailing list