[Swan] NetKey vs KLIPS
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Fri Sep 12 17:20:35 EEST 2014
On Thu, Sep 11, 2014 at 10:45:40PM -0400, Paul Wouters wrote:
> http://ocf-linux.sourceforge.net/
>
> It's a module patch against Linux, with more hardware support than
> whatever current crypto interface the kernel has.
The kernel supports plenty of hardware that ocf-linux does not. They may
be older designs but some are still in use.
I certainly am not looking for yet another patch to keep working whenever
upgrading kernels. So OCF has near zero interest to me.
> Which one? CryptoAPI? acrypto? or the other one whose name I don't even
> know :)
Yeah it has a few. Of course the userspace interface doesn't matter to
netkey, it just works.
> Yes it can, via OCF cryptosoft. It glues "native" drivers that use
> whatever is today's crypto api to OCF, to KLIPS. I've used this to
> support the VIA padlock AES and Alixboard i586 AES which has no direct
> native OCF driver.
Yeah those, as well as the geode lx are certainly not in OCF. Of course
the geode lx only does aes128 (no des, and no other bit sizes of aes)
for some stupid reason.
> And especially doing IKE with kernel crypto these days is a waste of
> resources and ends up being slower, which is why libreswan removed
> HAVE_OCF support for IKE.
Certainly no reason to use it when it makes it slower.
--
Len Sorensen
More information about the Swan
mailing list