* Kernel IPSec Questions
@ 2011-07-29 5:40 T C
2011-07-29 7:03 ` Andreas Steffen
0 siblings, 1 reply; 4+ messages in thread
From: T C @ 2011-07-29 5:40 UTC (permalink / raw)
To: netdev
Hi all,
I have some questions on how IPSec logic works in the kernel. There might be
a difference between when XFRM was introduced and prior. If possible,
I like to know both scenarios. If not, at least from XFRM perspective would
be very helpful.
Specifically, I am interested in knowing how does IPSec obtain the initial keys
from IKE exchange (and likely from XFRM) to set up the SA. Also what happens
during rekeying? Does the SA have to be terminated first, or somehow it can be
rekey'ed and continue as the same SA? I'll be using strongswan for IKE.
Function names and if possible some flow graphs would be greatly appreciated.
Thanks,
Terry
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Kernel IPSec Questions
2011-07-29 5:40 Kernel IPSec Questions T C
@ 2011-07-29 7:03 ` Andreas Steffen
2011-07-29 17:56 ` T C
0 siblings, 1 reply; 4+ messages in thread
From: Andreas Steffen @ 2011-07-29 7:03 UTC (permalink / raw)
To: T C; +Cc: netdev
Hello Terry,
here a repost of my email including the netdev list and fixing
the last URL which was wrong.
Here the definition of strongSwan's IPsec high level kernel interface
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/kernel/kernel_ipsec.h;h=986e21fca1bbd109445e95d86dbf458095299573;hb=HEAD
and here the link to the kernel-netlink plugin which implements
configuration and management of IPsec Policies and SAs via XFRM
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD
Our plugin of course relies on the ipsec.h, netlink.h, rtnetlink.h,
and xfrm.h Linux header files which define the API of the XFRM Netlink
kernel interface
http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/include/linux;h=a41d3e9a10954c47aff2efeb06576f323c039483;hb=HEAD
Much more documentation than the Linux header files and the XFRM kernel
source code itself does not exist.
Finally a link which shows how strongSwan installs, updates, queries
and deletes IPsec Policies and SAs
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/child_sa.c;h=cda150f8736d010cf8d897071427daf8a02a337a;hb=HEAD
Just look for all "hydra->kernel_interface" function calls.
Best regards
Andreas
On 07/29/2011 07:40 AM, T C wrote:
> Hi all,
>
> I have some questions on how IPSec logic works in the kernel. There might be
> a difference between when XFRM was introduced and prior. If possible,
> I like to know both scenarios. If not, at least from XFRM perspective would
> be very helpful.
>
> Specifically, I am interested in knowing how does IPSec obtain the initial keys
> from IKE exchange (and likely from XFRM) to set up the SA. Also what happens
> during rekeying? Does the SA have to be terminated first, or somehow it can be
> rekey'ed and continue as the same SA? I'll be using strongswan for IKE.
>
> Function names and if possible some flow graphs would be greatly appreciated.
>
> Thanks,
> Terry
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
======================================================================
Andreas Steffen andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Kernel IPSec Questions
2011-07-29 7:03 ` Andreas Steffen
@ 2011-07-29 17:56 ` T C
2011-07-29 20:20 ` Andreas Steffen
0 siblings, 1 reply; 4+ messages in thread
From: T C @ 2011-07-29 17:56 UTC (permalink / raw)
To: Andreas Steffen; +Cc: netdev
Hi Andreas,
Thanks for the URLs. I'll look thru them.
As far as strongswan is concerned, Martin has been very helpful in
explaining all the active actions that StrongSwan takes from
the user side. So actions taken by IKE daemon based on configuration
files I already have info on that. However,
the part that remains mostly unfamiliar is those actions taken by the
kernel during rekeying by sending messages back
from the kernel to the IKE daemon. Do you happen to know anything
about that? How are those actions trigged and what
happens to the communication channels during rekeying is what I am
most interested in finding out. If your URLs already
contain something that'll point to those, I'll find out from them. If
there is additional info on this, could you share them
as well?
Thanks,
Terry
On Fri, Jul 29, 2011 at 12:03 AM, Andreas Steffen
<andreas.steffen@strongswan.org> wrote:
> Hello Terry,
>
> here a repost of my email including the netdev list and fixing
> the last URL which was wrong.
>
> Here the definition of strongSwan's IPsec high level kernel interface
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/kernel/kernel_ipsec.h;h=986e21fca1bbd109445e95d86dbf458095299573;hb=HEAD
>
> and here the link to the kernel-netlink plugin which implements
> configuration and management of IPsec Policies and SAs via XFRM
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD
>
> Our plugin of course relies on the ipsec.h, netlink.h, rtnetlink.h,
> and xfrm.h Linux header files which define the API of the XFRM Netlink
> kernel interface
>
> http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/include/linux;h=a41d3e9a10954c47aff2efeb06576f323c039483;hb=HEAD
>
> Much more documentation than the Linux header files and the XFRM kernel
> source code itself does not exist.
>
> Finally a link which shows how strongSwan installs, updates, queries
> and deletes IPsec Policies and SAs
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/child_sa.c;h=cda150f8736d010cf8d897071427daf8a02a337a;hb=HEAD
>
> Just look for all "hydra->kernel_interface" function calls.
>
> Best regards
>
> Andreas
>
> On 07/29/2011 07:40 AM, T C wrote:
>> Hi all,
>>
>> I have some questions on how IPSec logic works in the kernel. There might be
>> a difference between when XFRM was introduced and prior. If possible,
>> I like to know both scenarios. If not, at least from XFRM perspective would
>> be very helpful.
>>
>> Specifically, I am interested in knowing how does IPSec obtain the initial keys
>> from IKE exchange (and likely from XFRM) to set up the SA. Also what happens
>> during rekeying? Does the SA have to be terminated first, or somehow it can be
>> rekey'ed and continue as the same SA? I'll be using strongswan for IKE.
>>
>> Function names and if possible some flow graphs would be greatly appreciated.
>>
>> Thanks,
>> Terry
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen@strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Kernel IPSec Questions
2011-07-29 17:56 ` T C
@ 2011-07-29 20:20 ` Andreas Steffen
0 siblings, 0 replies; 4+ messages in thread
From: Andreas Steffen @ 2011-07-29 20:20 UTC (permalink / raw)
To: T C; +Cc: netdev
Hello Terry,
each IPsec SA in the kernel has a lifetime configuration consisting
of both a soft and a hard limit for the number of bytes, number of
packets and time:
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 903(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
Each time one of the soft or hard limits is reached, the Linux kernel
generates an XFRM_MSG_EXPIRE message to which the charon daemon
subscribes when creating the NETLINK_XFRM socket:
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD#l2664
The callback function receive_events() is triggered by these
subscribed XFRM messages:
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD#l939
In the case of XFRM_MSG_EXPIRE the function process_expire() is
called:
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD#l939
which in turn calls hydra->kernel_interface->expire():
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/kernel/kernel_interface.c;h=ebe653ec4582ef2c16024d1cc5711d51c8b45970;hb=HEAD#l388
All registered expire listeners are notified, in our case the libcharon
listener:
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/kernel/kernel_handler.c;h=51fccb1acd6d7813bb83517428fc8f7b15f841d5;hb=HEAD#l75
As you can see, if a soft limit was reached then a CHILD_SA rekeying
job is scheduled
job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi);
and if a hard limit is reached (what should not happen with rekey=yes)
then the CHILD_SA is deleted
job = (job_t*)delete_child_sa_job_create(reqid, proto, spi);
Best regards
Andreas
On 29.07.2011 19:56, T C wrote:
> Hi Andreas,
>
> Thanks for the URLs. I'll look thru them.
>
> As far as strongswan is concerned, Martin has been very helpful in
> explaining all the active actions that StrongSwan takes from
> the user side. So actions taken by IKE daemon based on configuration
> files I already have info on that. However,
> the part that remains mostly unfamiliar is those actions taken by the
> kernel during rekeying by sending messages back
> from the kernel to the IKE daemon. Do you happen to know anything
> about that? How are those actions trigged and what
> happens to the communication channels during rekeying is what I am
> most interested in finding out. If your URLs already
> contain something that'll point to those, I'll find out from them. If
> there is additional info on this, could you share them
> as well?
>
> Thanks,
> Terry
>
> On Fri, Jul 29, 2011 at 12:03 AM, Andreas Steffen
> <andreas.steffen@strongswan.org> wrote:
>> Hello Terry,
>>
>> here a repost of my email including the netdev list and fixing
>> the last URL which was wrong.
>>
>> Here the definition of strongSwan's IPsec high level kernel interface
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/kernel/kernel_ipsec.h;h=986e21fca1bbd109445e95d86dbf458095299573;hb=HEAD
>>
>> and here the link to the kernel-netlink plugin which implements
>> configuration and management of IPsec Policies and SAs via XFRM
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD
>>
>> Our plugin of course relies on the ipsec.h, netlink.h, rtnetlink.h,
>> and xfrm.h Linux header files which define the API of the XFRM Netlink
>> kernel interface
>>
>> http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/include/linux;h=a41d3e9a10954c47aff2efeb06576f323c039483;hb=HEAD
>>
>> Much more documentation than the Linux header files and the XFRM kernel
>> source code itself does not exist.
>>
>> Finally a link which shows how strongSwan installs, updates, queries
>> and deletes IPsec Policies and SAs
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/child_sa.c;h=cda150f8736d010cf8d897071427daf8a02a337a;hb=HEAD
>>
>> Just look for all "hydra->kernel_interface" function calls.
>>
>> Best regards
>>
>> Andreas
======================================================================
Andreas Steffen andreas.steffen@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-07-29 20:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-29 5:40 Kernel IPSec Questions T C
2011-07-29 7:03 ` Andreas Steffen
2011-07-29 17:56 ` T C
2011-07-29 20:20 ` Andreas Steffen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.