OpenBSD 3.8
OpenBSD 3.8 is right around the corner, and onlamp has a good tour of the features coming with it, which include some pretty impressive ones:
First up is interface trunking, which will allow the combination of two or more ports into one virtual interface. This allows load-balancing (simple round-robin for now) and failover:
trunk(4) provides several possible benefits. The first one is a slightly improved performance, because the traffic could be distributed over several physical network interfaces. You could get more than 100Mbit/s with a fast Ethernet trunk, even more than 1G/s with a gigabit trunk. The most interesting feature of trunk is failover on layer 2. The trunk will continue to work if you remove the network cable of an attached port, as long as there're other running ports attached to the trunk. The interface link states are used to detect inactive ports and to skip them in the round-robin scheduling.
This can also be used in conjunction with the existing interface grouping in interesting ways:
Interfaces can be in more than one group, and of course a group can contain more than one interface. Now, pf can filter based on the group names. You could, for example, have your external interface on a typical firewall join a group ext, and have pf filter on the group ext instead of the interface. That way, your ruleset is hardware independent--the group assignment goes to the hostname.if files, which are machine dependent anyway. If you do the same for your internal interface it makes even more sense; if you add a second internal one, say, a wireless card, you just make it join the group--no need to modify the ruleset.
Perhaps coolest of all comes some good news on the IPSEC front. Currently, OpenBSD's IPSEC support relies on the extremely clunky combination of ipsecadm for manual keying and isakmpd.conf for automatic keying, both of which are relatively obscure and daunting. OpenBSD 3.8 will introduce ipsecctl, which will obselete both isakmpd.conf and ipsecadm:
We decided to use a language derived from pf.conf(5) (see ipsec.conf(5)): Rules define which packets will go through ipsec(4), which security services will be applied, and how keys are established. Care is taken that only a minimal set of parameters needs to be specified, and reasonable default values are used otherwise.
For example:
esp from 192.168.3.14 to 192.168.3.12 spi 0xdeadbeef:0xbeefdead \
authkey file "auth14:auth12" enckey file "enc14:enc12"This rule creates an IPsec tunnel between the hosts 192.168.3.4 and 192.168.3.12 using ESP with static keys read from some files. No authentication and encryption algorithms are specified; thus ipsecctl(8) will use HMAC-SHA2-256 and AES countermode as strong default algorithms.
For automatic keying, ipsecctl(8) generates proper configurations and feeds them to isakmpd(8) using its FIFO interface. Thus it is not necessary anymore to use isakmpd.conf(5). For example, to set up a VPN between the networks 10.1.1.0/24 and 10.1.2.0/24, one can use this rule:
ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2
Again, ipsecctl(8) will choose good default values for authentication and encryption (3DES-SHA1 for phase 1 and AES-128 and HMAC-SHA2-256 for phase 2), SA lifetimes, and so on.
There's more where that came from, including improved RAID support and other stuff. Check out the article for more.
Comments