[strongSwan-dev] How to best conduct a cipher key update?
stefan.marksteiner at joanneum.at
Fri Nov 15 00:11:14 CET 2013
I'm sorry to post a little off-topic, but I need help from real experts as I can't seem to find any information about this issue on the web.
I am working on a C++ project where it is necessary to establish IPsec SAs with ESP and rapidly change the encryption key. To accomplish this I'm using Netlink/XFRM messages to alter the SAD
Right now I'm deleting the corresponding SA and creating a new one (XFRM_MSG_DELSA and subsequent XFRM_XFRM_MSG_NEWSA) to update the key. This seems a little bit clumsy to me.
Is there a better way to do this?
I've tried to use NLM_F_REPLACE in the Netlink message flags and XFRM_MSG_UPDSA as message type but these messages had simply no effect (Not even a Netlink error message). I've seen XFRM_MSG_UPDSA being used to complete SAs initiated by XFRM_MSG_ALLOCSPI messages from state larval to mature.
Is this the only purpose for XFRM_MSG_UPDSA-type messages or may I use them somehow to alter encryption keys?
As the keys have to change rapidly (as stated above), performance is a factor. Therefore I want to strain my system with the smallest amount of administrative IPsec (=Netlink/XFRM) operations as possible.
Any help from the IPsec dev sages is highly appreciated :)
Thanks and cheers,
More information about the Dev