[strongSwan] Rekeying of Child SA when the Linux kernel has been bypassed
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Wed Jan 28 11:22:08 CET 2015
Hi ,I modifiedthe strongswan (5.0.4) code to bypass the strongSwan's IPsec Linux kernelinterface. I implemented so that, the IPsecSAs can be inserted and deleted on the active tunnels can be retrieved from thedata plane (NPU) which does the actual ESP encryption and decryption work.Each IPsecSA in the Linux kernel has a lifetime configuration consisting of both a softand a hard limit for the time. Each time one of the soft or hard limits isreached, the Linux kernel generates an XFRM_MSG_EXPIRE message to which the Charondaemon processes as follows 1. If a soft limit was reached then aCHILD_SA rekeying job is scheduled job =(job_t*)rekey_child_sa_job_create(reqid, proto, spi); 2. If a hard limit is reached , then theCHILD_SA is deleted job = (job_t*)delete_child_sa_job_create(reqid,proto, spi); Since I havebypassed the kernel , Can I do the followings in install function (defined inchild_sa.c) for rekeying of Child SA ? u_int64_tsoft_add_expires_seconds = 0;job_t *job;soft_add_expires_seconds= lifetime->time.rekey;if (soft_add_expires_seconds> 0){ job =(job_t*)rekey_child_sa_job_create(this->reqid,proto_ike2ip(this->protocol),spi); lib->scheduler->schedule_job(lib->scheduler,job,soft_add_expires_seconds * 1000);lib->processor->queue_job(lib->processor,job);}I think, theIPsec peer will start the Child SA re-key, when the lifetime hits the value setin soft_add_expires_seconds. Through the Scheduler it is possible to schedulejobs for an execution in the future. The Scheduler has internally a heap inwhich he stores the scheduled jobs ordered by the time when they have to beexecuted. Similarly when if a hard limit is reached, then the CHILD_SA shouldbe deleted via delete_child_sa_job_create job. Please feelfree to correct me if I am wrong.Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150128/b7ca911a/attachment.html>
More information about the Users
mailing list