[strongSwan-dev] CGA support

aurelien.wailly at orange-ftgroup.com aurelien.wailly at orange-ftgroup.com
Fri Aug 13 16:54:36 CEST 2010


> I haven't studied CGA in detail yet, but sounds interesting.

It simply links an IPv6 address to a public key, was introduced in SEND.

> Maybe I just missed something, but I don't see any changesets in the
> repo. It is very difficult for us to find your changes. We would need a
> set of proper patches to do a review.

Hum yes sorry I committed the final version. I made a clean and a proper
commit this time (started at version 137), but something is buggy with
4.4.2dr1 and it reads freed memory. I have put some valgrind and gdb logs.


> What I've seen so far is that you have introduced a new
> cga_authenticator. It looks very similar to the pubkey authenticator. Is
> there any notable difference (except for the cert payload parsing and
> CGA address verification) in the AUTH payload itself? If not, I'd prefer
> a more separated approach that handles just the CERT payload and reuse
> the existing authenticator.

Yes CGA verification is handled just before usual public keys verification.
Working on it :)

> Btw: We use custom printf specifiers that allows us to print certain
> objects directly. Make sure to use the proper specifier for the object
> you are printing (%Y for identification_t, %H for host_t, ...).
> There are also specifiers to print hex dumps (%b takes ptr, len
> arguments, %B takes a chunk_t pointer), no need to write your own hex
> dumper.

Nice, changed it.
I will add licenses as your previous link suggested.



More information about the Dev mailing list