Re: [lwip-users] IPSec and lwIP

[Sylvain Rochet]

Hi John,

On Fri, Aug 24, 2012 at 02:03:30PM -0400, John Bishop wrote:
> Dear all,
> 
> We are developing a device that uses an ATMEL 32 bit chip, and it uses the
> FreeRTOS for programs. I understand that lwIP has been included in
> FreeRTOS.
> 
> We have been asked by a number of customers to provide IPSec on the system,
> and I haven't found many comments on IPSec or encryption on the lwip-devel
> archive. (There are two postings in 2005 regarding SSL and two in May 2012
> regarding basic encryption (DES)).
> 
> I have found that on FreeRTOS there is this
> http://www.freertos.org/FreeRTOS-Plus/CyaSSL/CyaSSL.shtml .
> 
> Does anyone know of any work for including IPSec as part of lwIP (it may
> be, as per one of the 2005 posts, that the IP stack is not the right place
> for this, however the May 2005 posts indicate some encryption work being
> done - admittedly for ppp)?

Well, PPP is currently using DES for authentication purpose (MSCHAP 
require it), but this has nothing to do with IPSEC.

It depends if you need IPSEC "Transport"[1], which encrypt payload of IP 
packets statically between two hosts that must be reachable (not NATed), 
and so must be part of the IP stack because IPsec is between IP and 
UDP/TCP/.... Or if you need IPSEC "Tunnel"[2] which use IP in IP packets 
or in the case of PPPoL2TP use UDP port 500, also known as ISAKMP[3].

Anyway, a IPSEC stack is a huuuuuuuuge work to be done, and known to be 
badly implemented, thus requiring a lot of work to add workarounds, SSL 
is several magnitude easier compared to IPSEC.

Sylvain

[1] http://en.wikipedia.org/wiki/IPsec#Transport_mode
[2] http://en.wikipedia.org/wiki/IPsec#Tunnel_mode
[3] http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec

signature.asc
Description: Digital signature