LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-14-2016, 10:59 AM   #1
danmartinj
Member
 
Registered: Oct 2009
Posts: 101

Rep: Reputation: 1
Question With Linux IPSec and Null Encryption


Hello,

I have been asked a question about what it will take to get Null Encryption IPSec setup using Linux. So far I spent several hours googling and reading about RFCs and mainly theoretical stuff but none of that really answered my question.

My main specific questions are:
1. Is Null Encryption enabled by default in the Linux Kernel?
2. What are specific requirements for using it?
3. If possible, are there any howtos or examples using it?

Thanks in advance,

Joe
 
Old 01-14-2016, 11:57 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,811

Rep: Reputation: Disabled
Quote:
Originally Posted by danmartinj View Post
1. Is Null Encryption enabled by default in the Linux Kernel?
Well, lets see:
Code:
user@test:~$ cd $(mktemp -d)
user@test:/tmp/tmp.5DGoQZ$ wget -q -O - https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.4.tar.xz | tar -xJ
user@test:/tmp/tmp.5DGoQZ$ cd linux-4.4
user@test:/tmp/tmp.5DGoQZ$/linux-4.4$ make defconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/zconf.lex.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
*** Default configuration is based on 'i386_defconfig'
#
# configuration written to .config
#
user@test:/tmp/tmp.5DGoQZ$/linux-4.4$ grep CONFIG_CRYPTO_NULL < .config
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
user@test:/tmp/tmp.5DGoQZ$/linux-4.4$
So yes, the kernel default settings do seem to include NULL crypto support, but I'm not entirely convinced that's what you were asking about. The question is probably whether a particular distribution comes with a kernel with CRYPTO_NULL support, and that's an entirely different matter.

One could argue that using NULL encryption (which means you're not actually encrypting anything) is completely pointless outside of a lab/test setup, and could potentially be dangerous if accidentally enabled in a production environment. For those reasons, I wouldn't be at all surprised if I were to find that some distribution maintainers had chosen to disable NULL support in the kernel.

Anyway, running zcat /proc/config.gz | grep CRYPTO_NULL on the system in question should tell you. Unless they've disabled proc support for config.gz as well, that is.
Quote:
Originally Posted by danmartinj View Post
2. What are specific requirements for using it?
None, really. Kernel support for a certain encryption protocol means one can make use of system calls to perform encryption and decryption, but there's nothing preventing a userspace application from implementing any protocol it wants.

IPsec support does not reside entirely in kernel space. For instance, the IKE process responsible for negotiating Phase1 Security Associations, which includes selecting a set of mutually supported encryption protocols, is not part of the kernel. Instead, you need to install and run a userspace program like StrongSwan's charon daemon to accept or initiate IPsec connections/tunnels. Whether or not the IKE daemon will allow NULL encryption is a matter of configuration.

Having said that, most IPsec software on the Linux platform depend on crypto support in the kernel. Disable NULL support, or any of the other protocols, and it's unlikely that the software will be able to work around it.
Quote:
Originally Posted by danmartinj View Post
3. If possible, are there any howtos or examples using it?
Take a look at the StrongSwan documentation, specifically the man page for ipsec.conf. The "ike" setting determines the protocols used for Phase1, while the "esp" setting does the same for Phase2.

By the way, here's a list of the supported encryption suites in StrongSwan. As you can see, "null" is indeed supported.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to handle kernel NULL pointer dereference at (null) in linux kernel 3.14.43 Krishna Dwivedi Linux - Embedded & Single-board computer 0 09-08-2015 10:45 AM
where does the IPsec encryption operation have a place in Ubuntu ? AbuLaila Linux - Software 0 01-24-2012 03:59 AM
The Dark Night and Null Key Encryption CoderMan General 3 10-25-2009 04:45 PM
ipsec encryption between 2 servers on an ipv6 local link Dutchy_ Linux - Networking 2 10-15-2009 04:01 PM
ipsec encryption julc Linux - Networking 1 02-09-2005 03:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration