[Click] Problem with IPsecDES

Marco Wenzel marco.wenzel at stud.tu-ilmenau.de
Thu Jun 14 04:01:48 EDT 2007 

Hi Beyers,

sounds like a very nice solution for my problem. I'll try it out and let 
you know, if there are any questions. Thank you very much.

Marco.


Beyers Cronje schrieb:
> Hi Marco,
> 
> I might be way off here, but wouldn't a TLS element that functions 
> similar to the SOCKET element 
> http://read.cs.ucla.edu/click/elements/socket be more in line of what 
> you are looking for? There are two drawbacks to this approach though, 
> only available in user-level click, and you have to develop it yourself. 
> On the plus SOCKET element would be a good foundation to base a TLS 
> element on.
> 
> Beyers
> 
> On 6/12/07, *Marco Wenzel* <marco.wenzel at stud.tu-ilmenau.de 
> <mailto:marco.wenzel at stud.tu-ilmenau.de>> wrote:
> 
>     Hi Yannis,
> 
>     my project is very complex and maybe a little bit difficult to explain.
>     I have to implement a test bed for so called "context-sensitive
>     routing". This will consist of a client, a router and so called
>     context-servers. The router will route context-specific data between
>     client and servers. That means, that the client sends a route request
>     with some context data and the router chooses, transparent for the
>     client, the services and servers. This functionality is based on AODV
>     with context-extension, developed at my university.
>     The security functionalities should be implemented between router and
>     servers. The servers have to login at the router (required) and transfer
>     their data encrypted (not necessarily required).
>     Maybe you're right, when you say, that it is unusual to implement
>     tunnels at the data plane. But for me it was the easiest way to realize
>     the required functionality.
> 
>     Regards,
>     Marco.
> 
>     Ioannis C Avramopoulos ( iavramop at Princeton.EDU
>     <mailto:iavramop at Princeton.EDU>) wrote:
>      > Marco, are you trying to implement "control plane" or "data plane"
>      > functionality? It is not clear from what you're describing. The
>     choice
>      > of which secure tunneling technology to use would depend on the
>      > answer to that question. TLS is on top of TCP -- implementing TCP
>      > tunnels in the data plane of the routers would be, lets say, highly
>      > unusual. Yannis
>      >
>      > ----- Original Message -----
>      > From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de
>     <mailto:marco.wenzel at stud.tu-ilmenau.de>>
>      > Date: Monday, June 11, 2007 2:22 pm
>      > Subject: Re: [Click] Problem with IPsecDES
>      > Cc: click at amsterdam.lcs.mit.edu <mailto:click at amsterdam.lcs.mit.edu>
>      >
>      >> Hi Yannis,
>      >>
>      >> the reason, why I prefer TLS over IPsec is, that my tutor said it
>      >> maybe
>      >> will be the better way.
>      >> I have to implement a router, that sends ICMP advertisements (RFC
>      >> 1256)
>      >> into a subnet of clients. This clients have to do a secure
>      >> authorization
>      >> at the router, when they receive an advertisement. Furthermore they
>      >> have
>      >> to send some so called "context data" over an encrypted way to my
>      >> router. The clients will be implemented by another person in a
>      >> seperate
>      >> project, which doesn't use Click. I think it will be hard to do it
>      >> with
>      >> IPSec, because it's much more complex than TLS.
>      >> Maybe you've got a better idea? I'll be open to every proposal.
>      >>
>      >> Thanks and best regards,
>      >> Marco.
>      >>
>      >> Ioannis C Avramopoulos (iavramop at Princeton.EDU
>     <mailto:iavramop at Princeton.EDU>) schrieb:
>      >>> Hi Marco,
>      >>>
>      >>> I am curious what might be the reason that you prefer TLS over
>      >> IPsec.>
>      >>> Yannis
>      >>>
>      >>> ----- Original Message -----
>      >>> From: Marco Wenzel < marco.wenzel at stud.tu-ilmenau.de
>     <mailto:marco.wenzel at stud.tu-ilmenau.de>>
>      >>> Date: Friday, June 8, 2007 4:50 am
>      >>> Subject: Re: [Click] Problem with IPsecDES
>      >>> Cc: click at amsterdam.lcs.mit.edu
>     <mailto:click at amsterdam.lcs.mit.edu>
>      >>>
>      >>>> Hi Dimitris,
>      >>>>
>      >>>> thanks for this explicitly explanation. After reading some more
>      >>>> documents about IPSec and playing around with the Click-IPSec
>      >>>> elements,
>      >>>> I decided, that IPSec is not a suitable encryption-technique for
>      >> my
>      >>>> project.I think SSL/TLS is a better solution for me. Did anyone
>      >>>> implement Click
>      >>>> elements, which can realize a SSL/TLS connection? After
>      >> searching
>      >>>> in the
>      >>>> CVS and the official releases with the additional packages, I
>      >> did
>      >>>> not
>      >>>> find any.
>      >>>>
>      >>>> Best regards,
>      >>>> Marco.
>      >>>>
>      >>>>
>      >>>> Dimitris Syrivelis wrote:
>      >>>>> Hello,
>      >>>>>
>      >>>>>   The Documentation on IPsecDES and this particular
>      >> configuration
>      >>>> file
>      >>>>> (ipsec-des.click ) are outdated because the modules have been
>      >>>> recently
>      >>>>> revised. Despite that, if this configuration suits your needs
>      >> you
>      >>>> may use
>      >>>>> click-1.5.0 release or earlier.
>      >>>>>  In the current release click has a Security Association
>      >> Database
>      >>>> and the keys
>      >>>>> for encryption and authentication are stored there and are
>      >> passed
>      >>>> to each
>      >>>>> IPsec module via the click annotation space mechanism.
>      >>>>>  This database (it is a click hashtable) resides in
>      >>>> RadixIPsecLookup routing
>      >>>>> table module.
>      >>>>>   You should check the ipsec-router.click configuration example
>      >>>> as well as the
>      >>>>> click documentation for IPsec which is here:
>      >>>>>     http://www.read.cs.ucla.edu/click/docs/ipsec-doc
>      >>>>>
>      >>>>>  If you have any questions please post them here because i will
>      >>>> use the
>      >>>>> feedback to improve documentation.
>      >>>>>
>      >>>>>  If you will be using commodity PCs to create pairs of IPSec
>      >>>> security
>      >>>>> gateways, note that you should decrease the Ethernet MTU size
>      >> of
>      >>>> all the
>      >>>>> machines that use these gateways to 1400 bytes  because IPsec
>      >> ESP
>      >>>>> encapsulation increases the packet size.
>      >>>>>
>      >>>>> Dimitris
>      >>>>>
>      >>>>>> Hello,
>      >>>>>>
>      >>>>>> in the context of my diploma thesis I want to use the ipsec
>      >>>> package to send
>      >>>>>> encrypted data over an ethernet network. While trying to play
>      >>>> around with
>      >>>>>> the example configurations in the "conf" directory I get the
>      >>>> following>> errors in usermode:
>      >>>>>> # click conf/ipsec-des.click
>      >>>>>> conf/ipsec-des.click:11: While configuring 'IPsecDES at 7 ::
>      >>>> IPsecDES':>>   too many arguments; expected 'int'
>      >>>>>> conf/ipsec-des.click:20: While configuring 'IPsecDES at 16 ::
>      >>>> IPsecDES':>>   too many arguments; expected 'int'
>      >>>>>> Router could not be initialized!
>      >>>>>>
>      >>>>>> Corresponding to the element documentation the syntax
>      >> "IPsecDES(1,>>>> 0123456789012345)" and "IPsecDES(0,
>      >> 0123456789abcdef)" is
>      >>>> correct. I
>      >>>>>> couldn't find any other mistake in the ipsec-des.click
>      >>>> configuration.>>
>      >>>>>> I'm using the current CVS-version. Click is configured with
>      >>>> "./configure>> --disable-linuxmodule --enable-ipsec" and runs
>      >> under
>      >>>> gentoo linux with
>      >>>>>> kernel 2.6.19-gentoo-r5. Does anyone have an idea what I'm
>      >> doing
>      >>>> wrong?>>
>      >>>>>> Best regards,
>      >>>>>> Marco.

More information about the click mailing list