[strongSwan-dev] strongSwan code kernel traps for opportunistic encryption

Robert James srobertjames at gmail.com
Mon Mar 7 15:49:28 CET 2016

strongSwan has the ability to install a kernel trap, so that when a
packet is sent to a particular host, on the fly an SA is created and
brought up, and then the packet is transformed via that SA.

I'd like to know more about this.  My goal is to prototype an
opportunistic encryption feature for strongSwan, to extend this
feature even to hosts which don't have a set SA in the conf file, but
where the SA parameters are discovered on the fly (perhaps via DNSSEC,
perhaps via another means).

1. Can you give a high level overview of how this trap works?
2. Which mechanism in the Linux kernel does it use?
3. Where is the relevant strongSwan source code for it?
4. I assume the kernel must cache the packet while the SA is being set
up and charon is keying it.  Is there a time limit here before
timeout? Or, since nothing has gone on the wire yet, do we have as
much time as we need?

My goal is to create code which uses a similar trap to discover the
appropriate parameters (eg via DNSSEC).  Once I have them, what is the
best API to pass them to charon to do the keying? And, once charon has
done the keying, how can I tell strongSwan to take it from there?

More information about the Dev mailing list