August 29, 2014
The Internet Protocol Security (IPsec) suite is used to implement virtual private networks on FreeBSD and other operating systems. As the networking world continues its transition from 1 to 10, to 40 gigabit per second speeds, and faster, improvements in IPsec’s cryptographic building blocks are necessary to keep pace. The FreeBSD Foundation is pleased to announce that long-time FreeBSD developer John-Mark Gurney is adding modern AES modes to FreeBSD’s cryptographic framework and IPsec. This project is co-sponsored by the FreeBSD Foundation and Netgate, a leading vendor of BSD-based firewalls and networking gear.
The project adds new encryption modes while also importing infrastructure updates from OpenBSD giving FreeBSD users unprecedented support for high performance, encrypted communications. New modes include AES-CTR and AES-GCM with hardware acceleration using Intel’s AES-NI instructions. According to John-Mark, “on a modern 64-bit x86 CPU one core can process about 1 gigabyte per second of data” using the new AES-GCM mode.
Concurrent with this project, FreeBSD committer and pfSense employee Ermal Luçi will update the FreeBSD IPsec stack to take advantage of the new cryptographic modes.
Jim Thompson, a co-owner of both Netgate and ESF (the company behind pfSense), said “We are pleased to contribute to this project. Our interest in high-performance IPsec is obvious, however we also recognize the importance of contributing this capability to the FreeBSD project. Not only because our own software is based on FreeBSD, but for the benefit it brings to the entire community. We plan to have AES-GCM support for IPsec with AES-NI acceleration available in the 2.2 release of pfSense software.”
The project is currently in progress, with a planned completion at the end of September 2014.