[Click] Problem with IPsecDES

Tue Jun 12 06:59:43 EDT 2007

Hi Marco,

I might be way off here, but wouldn't a TLS element that functions similar
to the SOCKET element http://read.cs.ucla.edu/click/elements/socket be more
in line of what you are looking for? There are two drawbacks to this
approach though, only available in user-level click, and you have to develop
it yourself. On the plus SOCKET element would be a good foundation to base a
TLS element on.

Beyers

On 6/12/07, Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de> wrote:
>
> Hi Yannis,
>
> my project is very complex and maybe a little bit difficult to explain.
> I have to implement a test bed for so called "context-sensitive
> routing". This will consist of a client, a router and so called
> context-servers. The router will route context-specific data between
> client and servers. That means, that the client sends a route request
> with some context data and the router chooses, transparent for the
> client, the services and servers. This functionality is based on AODV
> with context-extension, developed at my university.
> The security functionalities should be implemented between router and
> servers. The servers have to login at the router (required) and transfer
> their data encrypted (not necessarily required).
> Maybe you're right, when you say, that it is unusual to implement
> tunnels at the data plane. But for me it was the easiest way to realize
> the required functionality.
>
> Regards,
> Marco.
>
> Ioannis C Avramopoulos (iavramop at Princeton.EDU) wrote:
> > Marco, are you trying to implement "control plane" or "data plane"
> > functionality? It is not clear from what you're describing. The choice
> > of which secure tunneling technology to use would depend on the
> > answer to that question. TLS is on top of TCP -- implementing TCP
> > tunnels in the data plane of the routers would be, lets say, highly
> > unusual. Yannis
> >
> > ----- Original Message -----
> > From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
> > Date: Monday, June 11, 2007 2:22 pm
> > Subject: Re: [Click] Problem with IPsecDES
> > Cc: click at amsterdam.lcs.mit.edu
> >
> >> Hi Yannis,
> >>
> >> the reason, why I prefer TLS over IPsec is, that my tutor said it
> >> maybe
> >> will be the better way.
> >> I have to implement a router, that sends ICMP advertisements (RFC
> >> 1256)
> >> into a subnet of clients. This clients have to do a secure
> >> authorization
> >> at the router, when they receive an advertisement. Furthermore they
> >> have
> >> to send some so called "context data" over an encrypted way to my
> >> router. The clients will be implemented by another person in a
> >> seperate
> >> project, which doesn't use Click. I think it will be hard to do it
> >> with
> >> IPSec, because it's much more complex than TLS.
> >> Maybe you've got a better idea? I'll be open to every proposal.
> >>
> >> Thanks and best regards,
> >> Marco.
> >>
> >> Ioannis C Avramopoulos (iavramop at Princeton.EDU) schrieb:
> >>> Hi Marco,
> >>>
> >>> I am curious what might be the reason that you prefer TLS over
> >> IPsec.>
> >>> Yannis
> >>>
> >>> ----- Original Message -----
> >>> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
> >>> Date: Friday, June 8, 2007 4:50 am
> >>> Subject: Re: [Click] Problem with IPsecDES
> >>> Cc: click at amsterdam.lcs.mit.edu
> >>>
> >>>> Hi Dimitris,
> >>>>
> >>>> thanks for this explicitly explanation. After reading some more
> >>>> documents about IPSec and playing around with the Click-IPSec
> >>>> elements,
> >>>> I decided, that IPSec is not a suitable encryption-technique for
> >> my
> >>>> project.I think SSL/TLS is a better solution for me. Did anyone
> >>>> implement Click
> >>>> elements, which can realize a SSL/TLS connection? After
> >> searching
> >>>> in the
> >>>> CVS and the official releases with the additional packages, I
> >> did
> >>>> not
> >>>> find any.
> >>>>
> >>>> Best regards,
> >>>> Marco.
> >>>>
> >>>>
> >>>> Dimitris Syrivelis wrote:
> >>>>> Hello,
> >>>>>
> >>>>>   The Documentation on IPsecDES and this particular
> >> configuration
> >>>> file
> >>>>> (ipsec-des.click) are outdated because the modules have been
> >>>> recently
> >>>>> revised. Despite that, if this configuration suits your needs
> >> you
> >>>> may use
> >>>>> click-1.5.0 release or earlier.
> >>>>>  In the current release click has a Security Association
> >> Database
> >>>> and the keys
> >>>>> for encryption and authentication are stored there and are
> >> passed
> >>>> to each
> >>>>> IPsec module via the click annotation space mechanism.
> >>>>>  This database (it is a click hashtable) resides in
> >>>> RadixIPsecLookup routing
> >>>>> table module.
> >>>>>   You should check the ipsec-router.click configuration example
> >>>> as well as the
> >>>>> click documentation for IPsec which is here:
> >>>>>     http://www.read.cs.ucla.edu/click/docs/ipsec-doc
> >>>>>
> >>>>>  If you have any questions please post them here because i will
> >>>> use the
> >>>>> feedback to improve documentation.
> >>>>>
> >>>>>  If you will be using commodity PCs to create pairs of IPSec
> >>>> security
> >>>>> gateways, note that you should decrease the Ethernet MTU size
> >> of
> >>>> all the
> >>>>> machines that use these gateways to 1400 bytes  because IPsec
> >> ESP
> >>>>> encapsulation increases the packet size.
> >>>>>
> >>>>> Dimitris
> >>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> in the context of my diploma thesis I want to use the ipsec
> >>>> package to send
> >>>>>> encrypted data over an ethernet network. While trying to play
> >>>> around with
> >>>>>> the example configurations in the "conf" directory I get the
> >>>> following>> errors in usermode:
> >>>>>> # click conf/ipsec-des.click
> >>>>>> conf/ipsec-des.click:11: While configuring 'IPsecDES at 7 ::
> >>>> IPsecDES':>>   too many arguments; expected 'int'
> >>>>>> conf/ipsec-des.click:20: While configuring 'IPsecDES at 16 ::
> >>>> IPsecDES':>>   too many arguments; expected 'int'
> >>>>>> Router could not be initialized!
> >>>>>>
> >>>>>> Corresponding to the element documentation the syntax
> >> "IPsecDES(1,>>>> 0123456789012345)" and "IPsecDES(0,
> >> 0123456789abcdef)" is
> >>>> correct. I
> >>>>>> couldn't find any other mistake in the ipsec-des.click
> >>>> configuration.>>
> >>>>>> I'm using the current CVS-version. Click is configured with
> >>>> "./configure>> --disable-linuxmodule --enable-ipsec" and runs
> >> under
> >>>> gentoo linux with
> >>>>>> kernel 2.6.19-gentoo-r5. Does anyone have an idea what I'm
> >> doing
> >>>> wrong?>>
> >>>>>> Best regards,
> >>>>>> Marco.
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click
>