[Click] Problem with IPsecDES

Marco Wenzel marco.wenzel at stud.tu-ilmenau.de
Thu Jun 14 04:06:02 EDT 2007 

Hi Dimitris,

thanks for your suggestions. I'll try, to realize them and let you know, 
if there are any problems.

Marco


Dimitris Syrivelis schrieb:
>  Marco,
> 
>   If you just need to configure click at runtime e.g. change/or add routing 
> table entries etc, write a user-application "configuration" server to do so. 
> The click kernel-level version, for instance, exports configuration memory via 
> a pseudo file system, which allows you to dynamically edit configuration 
> memory (of elements that support this feature). To that end, you can add 
> runtime configuration support -also for your elements- that suits your needs.
>  The "configuration" server can use SSL/TLS to communicate with the rest of 
> your system.
>  In my opinion this is the "cleanest" way to integrate click in your project 
> and provides you with the ability to use the OS process scheduling properties 
> for load balancing.      
>   
>  Dimitris
> 
> 
>> Hi Yannis,
>>
>> my project is very complex and maybe a little bit difficult to explain.
>> I have to implement a test bed for so called "context-sensitive
>> routing". This will consist of a client, a router and so called
>> context-servers. The router will route context-specific data between
>> client and servers. That means, that the client sends a route request
>> with some context data and the router chooses, transparent for the
>> client, the services and servers. This functionality is based on AODV
>> with context-extension, developed at my university.
>> The security functionalities should be implemented between router and
>> servers. The servers have to login at the router (required) and transfer
>> their data encrypted (not necessarily required).
>> Maybe you're right, when you say, that it is unusual to implement
>> tunnels at the data plane. But for me it was the easiest way to realize
>> the required functionality.
>>
>> Regards,
>> Marco.
>>
>> Ioannis C Avramopoulos (iavramop at Princeton.EDU) wrote:
>>> Marco, are you trying to implement "control plane" or "data plane"
>>> functionality? It is not clear from what you're describing. The choice
>>> of which secure tunneling technology to use would depend on the
>>> answer to that question. TLS is on top of TCP -- implementing TCP
>>> tunnels in the data plane of the routers would be, lets say, highly
>>> unusual. Yannis
>>>
>>> ----- Original Message -----
>>> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
>>> Date: Monday, June 11, 2007 2:22 pm
>>> Subject: Re: [Click] Problem with IPsecDES
>>> Cc: click at amsterdam.lcs.mit.edu
>>>
>>>> Hi Yannis,
>>>>
>>>> the reason, why I prefer TLS over IPsec is, that my tutor said it
>>>> maybe
>>>> will be the better way.
>>>> I have to implement a router, that sends ICMP advertisements (RFC
>>>> 1256)
>>>> into a subnet of clients. This clients have to do a secure
>>>> authorization
>>>> at the router, when they receive an advertisement. Furthermore they
>>>> have
>>>> to send some so called "context data" over an encrypted way to my
>>>> router. The clients will be implemented by another person in a
>>>> seperate
>>>> project, which doesn't use Click. I think it will be hard to do it
>>>> with
>>>> IPSec, because it's much more complex than TLS.
>>>> Maybe you've got a better idea? I'll be open to every proposal.
>>>>
>>>> Thanks and best regards,
>>>> Marco.
>>>>
>>>> Ioannis C Avramopoulos (iavramop at Princeton.EDU) schrieb:
>>>>> Hi Marco,
>>>>>
>>>>> I am curious what might be the reason that you prefer TLS over
>>>> IPsec.>
>>>>
>>>>> Yannis
>>>>>
>>>>> ----- Original Message -----
>>>>> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
>>>>> Date: Friday, June 8, 2007 4:50 am
>>>>> Subject: Re: [Click] Problem with IPsecDES
>>>>> Cc: click at amsterdam.lcs.mit.edu
>>>>>
>>>>>> Hi Dimitris,
>>>>>>
>>>>>> thanks for this explicitly explanation. After reading some more
>>>>>> documents about IPSec and playing around with the Click-IPSec
>>>>>> elements,
>>>>>> I decided, that IPSec is not a suitable encryption-technique for
>>>> my
>>>>
>>>>>> project.I think SSL/TLS is a better solution for me. Did anyone
>>>>>> implement Click
>>>>>> elements, which can realize a SSL/TLS connection? After
>>>> searching
>>>>
>>>>>> in the
>>>>>> CVS and the official releases with the additional packages, I
>>>> did
>>>>
>>>>>> not
>>>>>> find any.
>>>>>>
>>>>>> Best regards,
>>>>>> Marco.
>>>>>>
>>>>>> Dimitris Syrivelis wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>>   The Documentation on IPsecDES and this particular
>>>> configuration
>>>>
>>>>>> file
>>>>>>
>>>>>>> (ipsec-des.click) are outdated because the modules have been
>>>>>> recently
>>>>>>
>>>>>>> revised. Despite that, if this configuration suits your needs
>>>> you
>>>>
>>>>>> may use
>>>>>>
>>>>>>> click-1.5.0 release or earlier.
>>>>>>>  In the current release click has a Security Association
>>>> Database
>>>>
>>>>>> and the keys
>>>>>>
>>>>>>> for encryption and authentication are stored there and are
>>>> passed
>>>>
>>>>>> to each
>>>>>>
>>>>>>> IPsec module via the click annotation space mechanism.
>>>>>>>  This database (it is a click hashtable) resides in
>>>>>> RadixIPsecLookup routing
>>>>>>
>>>>>>> table module.
>>>>>>>   You should check the ipsec-router.click configuration example
>>>>>> as well as the
>>>>>>
>>>>>>> click documentation for IPsec which is here:
>>>>>>>     http://www.read.cs.ucla.edu/click/docs/ipsec-doc
>>>>>>>
>>>>>>>  If you have any questions please post them here because i will
>>>>>> use the
>>>>>>
>>>>>>> feedback to improve documentation.
>>>>>>>
>>>>>>>  If you will be using commodity PCs to create pairs of IPSec
>>>>>> security
>>>>>>
>>>>>>> gateways, note that you should decrease the Ethernet MTU size
>>>> of
>>>>
>>>>>> all the
>>>>>>
>>>>>>> machines that use these gateways to 1400 bytes  because IPsec
>>>> ESP
>>>>
>>>>>>> encapsulation increases the packet size.
>>>>>>>
>>>>>>> Dimitris
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> in the context of my diploma thesis I want to use the ipsec
>>>>>> package to send
>>>>>>
>>>>>>>> encrypted data over an ethernet network. While trying to play
>>>>>> around with
>>>>>>
>>>>>>>> the example configurations in the "conf" directory I get the
>>>>>> following>> errors in usermode:
>>>>>>>> # click conf/ipsec-des.click
>>>>>>>> conf/ipsec-des.click:11: While configuring 'IPsecDES at 7 ::
>>>>>> IPsecDES':>>   too many arguments; expected 'int'
>>>>>>
>>>>>>>> conf/ipsec-des.click:20: While configuring 'IPsecDES at 16 ::
>>>>>> IPsecDES':>>   too many arguments; expected 'int'
>>>>>>
>>>>>>>> Router could not be initialized!
>>>>>>>>
>>>>>>>> Corresponding to the element documentation the syntax
>>>> "IPsecDES(1,>>>> 0123456789012345)" and "IPsecDES(0,
>>>> 0123456789abcdef)" is
>>>>
>>>>>> correct. I
>>>>>>
>>>>>>>> couldn't find any other mistake in the ipsec-des.click
>>>>>> configuration.>>
>>>>>>
>>>>>>>> I'm using the current CVS-version. Click is configured with
>>>>>> "./configure>> --disable-linuxmodule --enable-ipsec" and runs
>>>> under
>>>>
>>>>>> gentoo linux with
>>>>>>
>>>>>>>> kernel 2.6.19-gentoo-r5. Does anyone have an idea what I'm
>>>> doing
>>>>
>>>>>> wrong?>>
>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Marco.

More information about the click mailing list