[strongSwan-dev] Phase 2 rekeying using different physical channel

Martin Willi martin at strongswan.org
Fri Jul 13 11:23:28 CEST 2012

> then do child rekeying key exchange using another secure channel
> (provided by an external device, for example QKD device).

I see.

> That' s why I need access to PF_KEY, to intercept the expire message
> from kernel, do the new key exchange through external secure channel
> and then send back to kernel new key to update SADB.

Probably it is better to do your custom rekeying at a higher level in
charon. Otherwise the state in the SAD wouldn't match to the state in
the IKE daemon. 

Expire messages trigger a rekey job, and this job finally calls
rekey_child_sa() on the IKE_SA [1]. Instead of queueing the child_rekey
task, you can do your own rekey procedure.

This procedure basically would set up a new child_sa_t, using its
alloc_spi(), install() and add_policies() methods with your negotiated
key material and other parameters. Once you have negotiated the new
CHILD_SA, you can delete the old, completing the rekeying.

> Do you think it would be possible to do it with a plugin or I should
> change charon?

Our plugin interfaces are not sufficient to hook in your own rekeying
handler, you'll have to extend charon itself.



More information about the Dev mailing list