[Swan] FIPS mode

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Tue Apr 14 16:01:08 EEST 2015

On Tue, Apr 14, 2015 at 08:47:56AM -0400, jonetsu wrote:
>   Regarding using libreswan in FIPS mode...  Is all of the encryption done using XFRM in kernel space ?  Would that mean that all crypto (C/asm) code is located in the kernel ?  IS there any plug-in alternative to use OpenSSL instead ?  I'm asking because of the overhead (time and money) that could be required to have the kernel crypto code validate under FIPS.  Whereas OpenSSL is already validated.  OTOH, going through OpenSSL would have a (significant) impact on performance.  Any thoughts about libreswan and FIPS validation ?

The main benefit of using the kernel crypto is that since the network
packets are in the kernel, doing the crypto and encapsulation and routing
all in the kernel avoids the very high overhead of dropping the packet
data to user space for part of the processing.  Also the kernel has the
option to use hardware crypto engines if you have them, where as openssl
would have to use the kernel to access the hardware crypto, which would
just add yet another layer of userspace/kernel space data exchange.

But certainly libreswan does the actual packet encryption either with
xfrm or with klips, both in the kernel, which is where it belongs.

Len Sorensen

More information about the Swan mailing list