[strongSwan] Users Digest, Vol 30, Issue 24

Shukla, Sanjay Sanjay.Shukla at ipc.com
Mon Jul 16 16:35:10 CEST 2012


For the output flow you explained, what debug level can be raised to see how this all is happening if one is interested.

Thanks for the great explanation.

Please consider the environment before printing this email.

-----Original Message-----
From: users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org [mailto:users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org] On Behalf Of nagaraj
Sent: Monday, July 16, 2012 1:48 AM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Users Digest, Vol 30, Issue 24

Chris, Strongswan is just IKE control plane and it uses netkey ipsec implementation in the native linux kernel for datapath where ESP encryption/decryption happens.
Now regarding IPSec packet processing, security association and security policy use xfrm architecture. IPSec SP which is represented as xfrm_policy structure will be bound to the routing flow cache and IPSec SA which is represented by xfrm_state structure is included in destination cache dst_entry structure. This structure is chained to form IPSec SA bundle.
IPSec Packet output processing:
The output part of XFRM architecture is placed between the IP layer and the network driver layer. In general non-ipsec packet will be passed to the network driver layer by a single destination output function. However packets needing IPSec packet processing are processed by xfrm functions which perform ESP, AH processing on them.
xfrm functions make a chain of destination output functions which is called stackable destination. Each function shall match IPSec processing like AH, ESP, IPCOMP. To be more specific, in order to pass a packet to network driver layer following steps need to be followed:
1) Lookup routing table to decide output function by ip6_route_output( )
2) Lookup IPSec security policy
3) Lookup IPSec SA suitable for IPSec Security policy and destination chain is created
4) To apply IPSec, packet is passed to the destination chain.

Here is the output flow:
ip6_dst_lookup( ) -----> ip6_route_output( ) ------> xfrm_lookup( )
------> flow_cache_lookup( ) ------> xfrm_policy_lookup( ) ------->
xfrm_tmpl_resolve( ) ----> xfrm_bundle_create ----------> ip6_xmit( )
-------> dst_output( ) (which calls destination output chain )

IPSec Packet Input processing
IPSec packet processing for input is in ip6_input_finsh( ), where it uses inet6_protos hash table to retrieve xfrm_rcv structure from the protocol number. xfrm_rcv has functions registered to do input packet processing like ESP decryption and AH processing. Eventually, decrypted packet is checked against xfrm6_pollicy_check( ) to ensure .

Hope that helps.


On Sun, Jul 15, 2012 at 3:00 AM,  <users-request at lists.strongswan.org> wrote:
> Send Users mailing list submissions to
>         users at lists.strongswan.org
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at lists.strongswan.org
> You can reach the person managing the list at
>         users-owner at lists.strongswan.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
> Today's Topics:
>    1. Path of Execution (Chris Rogers)
> ----------------------------------------------------------------------
> Message: 1
> Date: Sat, 14 Jul 2012 14:04:30 -0400
> From: Chris Rogers <crogers122 at gmail.com>
> Subject: [strongSwan] Path of Execution
> To: users at lists.strongswan.org
> Message-ID:
> <CAC4YorjUTRjNfepuu_AYCTGMrxpkRB4qKD7TtVLhf_szk9dXOQ at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> All,
> So over the past few weeks, I've been perusing through the StrongSwan
> source, trying to get a better understanding of how a packet actually
> gets encrypted, and then transmitted.  I'm still working in a *BSD
> environment, and it would help me greatly if someone could shed light on the following:
> - What libraries are called first to initiate encryption?
> - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel,
> but where are the calls to kernel level encryption functions?
> As of now, I'm only concerned with ESP.  Thanks for the help.
> Chris
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> http://lists.strongswan.org/pipermail/users/attachments/20120714/e38b0
> 461/attachment-0001.html
> ------------------------------
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> End of Users Digest, Vol 30, Issue 24
> *************************************

Users mailing list
Users at lists.strongswan.org

More information about the Users mailing list