[strongSwan] Users Digest, Vol 30, Issue 24

nagaraj nagaraj2 at gmail.com
Mon Jul 16 07:48:11 CEST 2012

Chris, Strongswan is just IKE control plane and it uses netkey ipsec
implementation in the native linux kernel for datapath where ESP
encryption/decryption happens.
Now regarding IPSec packet processing, security association and
security policy use xfrm architecture. IPSec SP which is represented
as xfrm_policy structure will be bound to the routing flow cache and
IPSec SA which is represented by xfrm_state structure is included in
destination cache dst_entry structure. This structure is chained to
form IPSec SA bundle.
IPSec Packet output processing:
The output part of XFRM architecture is placed between the IP layer
and the network driver layer. In general non-ipsec packet will be
passed to the network driver layer by a single destination output
function. However packets needing IPSec packet processing are
processed by xfrm functions which perform ESP, AH processing on them.
xfrm functions make a chain of destination output functions which is
called stackable destination. Each function shall match IPSec
processing like AH, ESP, IPCOMP. To be more specific, in order to pass
a packet to network driver layer following steps need to be followed:
1) Lookup routing table to decide output function by ip6_route_output( )
2) Lookup IPSec security policy
3) Lookup IPSec SA suitable for IPSec Security policy and destination
chain is created
4) To apply IPSec, packet is passed to the destination chain.

Here is the output flow:
ip6_dst_lookup( ) -----> ip6_route_output( ) ------> xfrm_lookup( )
------> flow_cache_lookup( ) ------> xfrm_policy_lookup( ) ------->
xfrm_tmpl_resolve( ) ----> xfrm_bundle_create ----------> ip6_xmit( )
-------> dst_output( ) (which calls destination output chain )

IPSec Packet Input processing
IPSec packet processing for input is in ip6_input_finsh( ), where it
uses inet6_protos hash table to retrieve xfrm_rcv structure from the
protocol number. xfrm_rcv has functions registered to do input packet
processing like ESP decryption and AH processing. Eventually,
decrypted packet is checked against xfrm6_pollicy_check( ) to ensure .

Hope that helps.


On Sun, Jul 15, 2012 at 3:00 AM,  <users-request at lists.strongswan.org> wrote:
> Send Users mailing list submissions to
>         users at lists.strongswan.org
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at lists.strongswan.org
> You can reach the person managing the list at
>         users-owner at lists.strongswan.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
> Today's Topics:
>    1. Path of Execution (Chris Rogers)
> ----------------------------------------------------------------------
> Message: 1
> Date: Sat, 14 Jul 2012 14:04:30 -0400
> From: Chris Rogers <crogers122 at gmail.com>
> Subject: [strongSwan] Path of Execution
> To: users at lists.strongswan.org
> Message-ID:
>         <CAC4YorjUTRjNfepuu_AYCTGMrxpkRB4qKD7TtVLhf_szk9dXOQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> All,
> So over the past few weeks, I've been perusing through the StrongSwan
> source, trying to get a better understanding of how a packet actually gets
> encrypted, and then transmitted.  I'm still working in a *BSD environment,
> and it would help me greatly if someone could shed light on the following:
> - What libraries are called first to initiate encryption?
> - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel, but
> where are the calls to kernel level encryption functions?
> As of now, I'm only concerned with ESP.  Thanks for the help.
> Chris
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.strongswan.org/pipermail/users/attachments/20120714/e38b0461/attachment-0001.html
> ------------------------------
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> End of Users Digest, Vol 30, Issue 24
> *************************************

More information about the Users mailing list