Check out the new USENIX Web site. next up previous
Next: Future Work in IPsec Up: IP Security (IPsec) Previous: Operation

OpenBSD IPsec

OpenBSD's IPsec stack was written by John Ioannidis and Angelos Keromytis [18] and later enhancements and fixes have been provided by Niels Provos and Niklas Hallqvist. The core is stable and in production use securing data in many places all over the world, as it does not suffer from US export regulations. A number of companies, agencies, institutions, and individuals are using the code, a fact that has helped us significantly in finding and fixing bugs, and in motivating further development.

Recently, the API used to setup and maintain the SA database was switched to the standard PF_KEY [23]. This API is much more flexible than the old PF_ENCAP interface. Available algorithms for encryption are DES [26], 3DES, Cast-128, Blowfish [35], and Skipjack (support for the latter, despite its known weaknesses, was added after requests by US Government agencies using our IPsec stack). One-way hash algorithms are MD5, SHA1 and RIPEMD160 [20,21,17]. For key management, two daemons are available, isakmpd implementing IKE [29,22,12] and photurisd implementing Photuris [13].

& D. Keromytis