[Click] Problem with IPsecDES

Tue Jun 12 05:12:17 EDT 2007

Hi Yannis,

my project is very complex and maybe a little bit difficult to explain. 
I have to implement a test bed for so called "context-sensitive 
routing". This will consist of a client, a router and so called 
context-servers. The router will route context-specific data between 
client and servers. That means, that the client sends a route request 
with some context data and the router chooses, transparent for the 
client, the services and servers. This functionality is based on AODV 
with context-extension, developed at my university.
The security functionalities should be implemented between router and 
servers. The servers have to login at the router (required) and transfer 
their data encrypted (not necessarily required).
Maybe you're right, when you say, that it is unusual to implement 
tunnels at the data plane. But for me it was the easiest way to realize 
the required functionality.

Regards,
Marco.

Ioannis C Avramopoulos (iavramop at Princeton.EDU) wrote:
> Marco, are you trying to implement "control plane" or "data plane"
> functionality? It is not clear from what you're describing. The choice
> of which secure tunneling technology to use would depend on the
> answer to that question. TLS is on top of TCP -- implementing TCP
> tunnels in the data plane of the routers would be, lets say, highly
> unusual. Yannis
> 
> ----- Original Message -----
> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
> Date: Monday, June 11, 2007 2:22 pm
> Subject: Re: [Click] Problem with IPsecDES
> Cc: click at amsterdam.lcs.mit.edu
> 
>> Hi Yannis,
>>
>> the reason, why I prefer TLS over IPsec is, that my tutor said it 
>> maybe 
>> will be the better way.
>> I have to implement a router, that sends ICMP advertisements (RFC 
>> 1256) 
>> into a subnet of clients. This clients have to do a secure 
>> authorization 
>> at the router, when they receive an advertisement. Furthermore they 
>> have 
>> to send some so called "context data" over an encrypted way to my 
>> router. The clients will be implemented by another person in a 
>> seperate 
>> project, which doesn't use Click. I think it will be hard to do it 
>> with 
>> IPSec, because it's much more complex than TLS.
>> Maybe you've got a better idea? I'll be open to every proposal.
>>
>> Thanks and best regards,
>> Marco.
>>
>> Ioannis C Avramopoulos (iavramop at Princeton.EDU) schrieb:
>>> Hi Marco,
>>>
>>> I am curious what might be the reason that you prefer TLS over 
>> IPsec.> 
>>> Yannis
>>>
>>> ----- Original Message -----
>>> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
>>> Date: Friday, June 8, 2007 4:50 am
>>> Subject: Re: [Click] Problem with IPsecDES
>>> Cc: click at amsterdam.lcs.mit.edu
>>>
>>>> Hi Dimitris,
>>>>
>>>> thanks for this explicitly explanation. After reading some more 
>>>> documents about IPSec and playing around with the Click-IPSec 
>>>> elements, 
>>>> I decided, that IPSec is not a suitable encryption-technique for 
>> my 
>>>> project.I think SSL/TLS is a better solution for me. Did anyone 
>>>> implement Click 
>>>> elements, which can realize a SSL/TLS connection? After 
>> searching 
>>>> in the 
>>>> CVS and the official releases with the additional packages, I 
>> did 
>>>> not 
>>>> find any.
>>>>
>>>> Best regards,
>>>> Marco.
>>>>
>>>>
>>>> Dimitris Syrivelis wrote:
>>>>> Hello,
>>>>>
>>>>>   The Documentation on IPsecDES and this particular 
>> configuration 
>>>> file 
>>>>> (ipsec-des.click) are outdated because the modules have been 
>>>> recently 
>>>>> revised. Despite that, if this configuration suits your needs 
>> you 
>>>> may use 
>>>>> click-1.5.0 release or earlier. 
>>>>>  In the current release click has a Security Association 
>> Database 
>>>> and the keys 
>>>>> for encryption and authentication are stored there and are 
>> passed 
>>>> to each 
>>>>> IPsec module via the click annotation space mechanism. 
>>>>>  This database (it is a click hashtable) resides in 
>>>> RadixIPsecLookup routing 
>>>>> table module.
>>>>>   You should check the ipsec-router.click configuration example 
>>>> as well as the 
>>>>> click documentation for IPsec which is here:
>>>>>     http://www.read.cs.ucla.edu/click/docs/ipsec-doc
>>>>>  
>>>>>  If you have any questions please post them here because i will 
>>>> use the 
>>>>> feedback to improve documentation.
>>>>>
>>>>>  If you will be using commodity PCs to create pairs of IPSec 
>>>> security 
>>>>> gateways, note that you should decrease the Ethernet MTU size 
>> of 
>>>> all the 
>>>>> machines that use these gateways to 1400 bytes  because IPsec 
>> ESP 
>>>>> encapsulation increases the packet size. 
>>>>>
>>>>> Dimitris
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> in the context of my diploma thesis I want to use the ipsec 
>>>> package to send
>>>>>> encrypted data over an ethernet network. While trying to play 
>>>> around with
>>>>>> the example configurations in the "conf" directory I get the 
>>>> following>> errors in usermode:
>>>>>> # click conf/ipsec-des.click
>>>>>> conf/ipsec-des.click:11: While configuring 'IPsecDES at 7 :: 
>>>> IPsecDES':>>   too many arguments; expected 'int'
>>>>>> conf/ipsec-des.click:20: While configuring 'IPsecDES at 16 :: 
>>>> IPsecDES':>>   too many arguments; expected 'int'
>>>>>> Router could not be initialized!
>>>>>>
>>>>>> Corresponding to the element documentation the syntax 
>> "IPsecDES(1,>>>> 0123456789012345)" and "IPsecDES(0, 
>> 0123456789abcdef)" is 
>>>> correct. I
>>>>>> couldn't find any other mistake in the ipsec-des.click 
>>>> configuration.>>
>>>>>> I'm using the current CVS-version. Click is configured with 
>>>> "./configure>> --disable-linuxmodule --enable-ipsec" and runs 
>> under 
>>>> gentoo linux with
>>>>>> kernel 2.6.19-gentoo-r5. Does anyone have an idea what I'm 
>> doing 
>>>> wrong?>>
>>>>>> Best regards,
>>>>>> Marco.