WARNING: pseudo-random number generator used for IPsec processing - BSD

This is a discussion on WARNING: pseudo-random number generator used for IPsec processing - BSD ; Hi, all! While "optimizing" my nanobsd setup for my Soekris Net4801 device, I've come across this message at every boot: WARNING: pseudo-random number generator used for IPsec processing But I do have a crypto card in this box. Kernel config: ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: WARNING: pseudo-random number generator used for IPsec processing

  1. WARNING: pseudo-random number generator used for IPsec processing

    Hi, all!

    While "optimizing" my nanobsd setup for my Soekris Net4801
    device, I've come across this message at every boot:

    WARNING: pseudo-random number generator used for IPsec processing

    But I do have a crypto card in this box. Kernel config:

    options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
    device crypto # core crypto support
    device cryptodev # /dev/crypto for access to h/w
    device hifn # Hifn 7951, 7781, etc.

    Dmesg output:

    hifn0 mem 0xa0003000-0xa0003fff,0xa0004000-0xa0005fff,0xa0008000-0xa000ffff irq 11 at device 10.0 on pci0
    hifn0: Hifn 7955, rev 0, 32KB dram, pll=0x800

    Sysctl:

    ardbeg# sysctl kern.random
    kern.random.yarrow.gengateinterval: 10
    kern.random.yarrow.bins: 10
    kern.random.yarrow.fastthresh: 192
    kern.random.yarrow.slowthresh: 256
    kern.random.yarrow.slowoverthresh: 2
    kern.random.sys.seeded: 1
    kern.random.sys.harvest.ethernet: 1
    kern.random.sys.harvest.point_to_point: 1
    kern.random.sys.harvest.interrupt: 1
    kern.random.sys.harvest.swi: 0

    So, why these boot time warnings? Shouldn't the system use the
    Hifn device? The random(4) manpage claims most of these
    sysctl values should not be there at all if a HW random genrator
    is used, which sounds logical. If yarrow is not used at all ...

    It seems to be used by IPSec:

    ardbeg# /tmp/hifnstats
    input 334636312 bytes 616365 packets
    output 334636312 bytes 616365 packets
    invalid 0 nomem 0 abort 0
    noirq 0 unaligned 607591
    totbatch 0 maxbatch 0
    nomem: map 0 load 0 mbuf 0 mcl 0 cr 23 sd 0

    According to the Hifn 7955 data sheet it features a
    "True Hardware Random Number Generator".

    Thanks,
    Patrick
    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de

  2. Re: WARNING: pseudo-random number generator used for IPsec processing

    On 2006-11-29, Patrick M. Hausen wrote:
    > Hi, all!
    >
    > While "optimizing" my nanobsd setup for my Soekris Net4801
    > device, I've come across this message at every boot:
    >
    > WARNING: pseudo-random number generator used for IPsec processing
    >
    > But I do have a crypto card in this box. Kernel config:
    >
    > options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
    > device crypto # core crypto support
    > device cryptodev # /dev/crypto for access to h/w
    > device hifn # Hifn 7951, 7781, etc.


    Do you have device random?

    Kris

  3. Re: WARNING: pseudo-random number generator used for IPsec processing

    Hi!

    Kris Kennaway wrote:
    > On 2006-11-29, Patrick M. Hausen wrote:


    > > WARNING: pseudo-random number generator used for IPsec processing
    > >
    > > But I do have a crypto card in this box. Kernel config:
    > > ...


    > Do you have device random?


    Yes. Wrong?

    Thanks,
    Patrick
    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de

  4. Re: WARNING: pseudo-random number generator used for IPsec processing

    On 2006-12-01, Patrick M. Hausen wrote:
    > Hi!
    >
    > Kris Kennaway wrote:
    >> On 2006-11-29, Patrick M. Hausen wrote:

    >
    >> > WARNING: pseudo-random number generator used for IPsec processing
    >> >
    >> > But I do have a crypto card in this box. Kernel config:
    >> > ...

    >
    >> Do you have device random?

    >
    > Yes. Wrong?


    No, that's what it should be. For some reason the "good" random
    number generator wasn't returning enough bytes to satisfy ipsec. This
    shouldn't happen by design AFAIK, so something must be wrong.

    I don't have any other ideas right now, so please file a PR.

    Kris


+ Reply to Thread