Re: Modifying Cryptography Code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 06, 2005 at 01:56:56PM +0000, Alaa Dalghan wrote:
> Hello everyone,
> I need to modify some CRYPTOGRAPHY code in Linux Kernel to get a specific 
> VPN behavior, but I don't know where to start.

<snip>

> Each packet sent from a given client to the other get processed 4 times 
> (encryption at the sender, decryption at the gateway, encryption at the 
> gateway, decryption at the receiver). This is the normal behavior but it 
> imposes too much processing overhead on the linux VPN gateway. The required 
> behavior is that the VPN gateway just RELAYS encrypted data (ESP envelopes) 
> without decrypting them. This is impossible in the current ipsec 
> implementation since"the end of a tunnel HAS ALWAYS to be decrypted".

Umm, if I understand correctly, unless each tunnel is using the same
keys, the decrypt and reencrypt ends up with *different* data. So
just skipping the decrypt won't work, you'll just end up sending
packets which the other end can't read.

If your using the same keys, perhaps the kernal can see that, I don't
know...

Hope this helps,
-- 
Martijn van Oosterhout   <kleptog@xxxxxxxxx>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

Attachment: pgpqJbvgRDx9X.pgp
Description: PGP signature


[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux