lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 29 Jul 2011 09:03:52 +0200
From:	Andreas Steffen <andreas.steffen@...ongswan.org>
To:	T C <tccheung1@...il.com>
CC:	netdev@...r.kernel.org
Subject: Re: Kernel IPSec Questions

Hello Terry,

here a repost of my email including the netdev list and fixing
the last URL which was wrong.

Here the definition of strongSwan's IPsec high level kernel interface

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/kernel/kernel_ipsec.h;h=986e21fca1bbd109445e95d86dbf458095299573;hb=HEAD

and here the link to the kernel-netlink plugin which implements
configuration and management of IPsec Policies and SAs via XFRM

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=06720a0f4bddf9fde60288f796df0eca647ae995;hb=HEAD

Our plugin of course relies on the ipsec.h, netlink.h, rtnetlink.h,
and xfrm.h Linux header files which define the API of the XFRM Netlink
kernel interface

http://git.strongswan.org/?p=strongswan.git;a=tree;f=src/include/linux;h=a41d3e9a10954c47aff2efeb06576f323c039483;hb=HEAD

Much more documentation than the Linux header files and the XFRM kernel
source code itself does not exist.

Finally a link which shows how strongSwan installs, updates, queries
and deletes IPsec Policies and SAs

http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/child_sa.c;h=cda150f8736d010cf8d897071427daf8a02a337a;hb=HEAD

Just look for all "hydra->kernel_interface" function calls.

Best regards

Andreas

On 07/29/2011 07:40 AM, T C wrote:
> Hi all,
> 
> I have some questions on how IPSec logic works in the kernel.  There might be
> a difference between when XFRM was introduced and prior.  If possible,
> I like to know both scenarios.  If not, at least from XFRM perspective would
> be very helpful.
> 
> Specifically, I am interested in knowing how does IPSec obtain the initial keys
> from IKE exchange (and likely from XFRM) to set up the SA.   Also what happens
> during rekeying?  Does the SA have to be terminated first, or somehow it can be
> rekey'ed and continue as the same SA?  I'll be using strongswan for IKE.
> 
> Function names and if possible some flow graphs would be greatly appreciated.
> 
> Thanks,
> Terry
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
======================================================================
Andreas Steffen                         andreas.steffen@...ongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ