mywiki:linux:ipsec
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| mywiki:linux:ipsec [2015/12/10 12:44] – [Kernel cryptography] super | mywiki:linux:ipsec [2019/09/15 18:55] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| **IPSec Implementation in Linux** | **IPSec Implementation in Linux** | ||
| + | |||
| + | | Reference | {{: | ||
| ====== IPSEC Basic ====== | ====== IPSEC Basic ====== | ||
| Line 36: | Line 38: | ||
| | XFRM framework | net/ | | XFRM framework | net/ | ||
| | XFRM initialization | xfrm4_init() and xfrm6_init(). | | | XFRM initialization | xfrm4_init() and xfrm6_init(). | | ||
| + | |||
| + | |||
| + | ===== Kernel Terms ===== | ||
| + | | aalg | **Authentication** algo pointer | | ||
| + | | ealg | **Encryption** algo pointer | | ||
| + | | calg | **Compression** algo pointer | | ||
| + | | aead | **Authentication Encryption** with Associated Data pointer | Note: if (aead == NULL); then only authentication without any encryption | | ||
| + | | encap | Data for **encapsulator**, | ||
| ===== Kernel cryptography ===== | ===== Kernel cryptography ===== | ||
| + | |||
| | acrypto | asynchronous crypto | | | acrypto | asynchronous crypto | | ||
| | cryptd | | | cryptd | | ||
| Line 204: | Line 215: | ||
| } | } | ||
| + | </ | ||
| + | |||
| + | ===== IPSec kernel | ||
| + | | Xfrm_lookup() | xfrm lookup(SPD and SAD) method | | ||
| + | | Xfrm_input() | xfrm processing for an ingress packet | | ||
| + | | Xfrm_output() | xfrm processing for an egress packet | | ||
| + | | Xfrm4_rcv() | IPv4 specific Rx method | | ||
| + | | Xfrm6_rcv() | IPv6 specific Rx method | | ||
| + | | Esp_input() | ESP processing for an ingress packet | | ||
| + | | Esp_output() | ESP processing for an egress packet | | ||
| + | | Ah_input() | AH processing for an ingress packet | | ||
| + | | Ah_output() | AH processing for an egress packet | | ||
| + | | xfrm_policy_alloc() | allocates an SPD object | | ||
| + | | Xfrm_policy_destroy() | frees an SPD object | | ||
| + | | xfrm_ policy_lookup | SPD lookup | | ||
| + | | xfrm_policy_byid() | SPD lookup based on id | | ||
| + | | Xfrm_policy_insert() | Add an entry to SPD | | ||
| + | | Xfrm_Policy_delete() | remove an entry from SPD | | ||
| + | | Xfrm_bundle_create() | creates a xfrm bundle | | ||
| + | | Xfrm_policy_delete() | releases the resources of a policy object | | ||
| + | | Xfrm_state_add() | add an entry to SAD | | ||
| + | | Xfrm_state_delete() | free and SAD object | | ||
| + | | xfrm_state_alloc() | allocate an SAD object | | ||
| + | | xfrm_state_lookup_byaddr() | src address based SAD lookup | | ||
| + | | xfrm_state_find() | SAD look up based on dst | | ||
| + | | xfrm_state_lookup() | SAD lookup based on spi | | ||
| + | |||
| + | ===== IPSec SA initialize ===== | ||
| + | It is initialized by API: **static int esp_init_state(struct xfrm_state *x)**, which is defined in file: | ||
| + | * net/ | ||
| + | * net/ | ||
| + | ===== IPSec Tx steps ===== | ||
| + | < | ||
| + | For better understanding I have divided the IPSec transmission process in 7 stepes as below | ||
| + | |||
| + | Step-1: Transport_layer_sendmsg() | ||
| + | |||
| + | Does TCP/UDP specific jobs are done here before going for route lookup | ||
| + | |||
| + | Step-2: ip_route_output_slow() | ||
| + | |||
| + | Xfrm_lookup() | ||
| + | |||
| + | Step-3: ip_local_output() | ||
| + | |||
| + | Step-4: ip_local_out() | ||
| + | |||
| + | | ||
| + | |||
| + | Calls skb-> | ||
| + | |||
| + | Step-5: xfrm4_output/ | ||
| + | |||
| + | Step-6: esp_output()/ | ||
| + | |||
| + | Step-7: ip_output() | ||
| + | |||
| + | Step-8: dev_queue_xmit() | ||
| + | |||
| + | Egress QoS comes here. | ||
| + | |||
| + | Step-9: dev-> | ||
| + | </ | ||
| + | ===== IPSec Rx steps ===== | ||
| + | < | ||
| + | For better understanding I have divided the IPSec reception process in 7 stepes, they are below | ||
| + | |||
| + | Step-1: netif_receive_skb() | ||
| + | |||
| + | Step-2: ip_rcv() | ||
| + | |||
| + | Netfilter PRE_ROUTING applies here. | ||
| + | |||
| + | Step-3: ip_receive_finish | ||
| + | |||
| + | Calls ip_route_input_noref(). Which finds the route entry and set dst-> | ||
| + | |||
| + | Step-4: ip_local_deliver | ||
| + | |||
| + | LOCAL_IN Netfilter part here. | ||
| + | |||
| + | Step-5: ip_local_deliver_finish() | ||
| + | |||
| + | Based on the protocol field of ip header (IPPROTO_AH, | ||
| + | |||
| + | Step-6: | ||
| + | |||
| + | Step-7: xfrm_input() | ||
| + | |||
| + | Calls xfrm_state_lookup() | ||
| + | |||
| + | calls esp_input()/ | ||
| + | |||
| + | Once again applies the PRE_ROUTING Netfilter, but now for the decapsulated packet | ||
| + | |||
| + | Step-8: xfrm4_rcv_encap_finish() | ||
| + | |||
| + | Will do the route lookup again for the decapsulated packet using ip_route_input_noref(). Again route lookup should decide for local_delivery. | ||
| + | |||
| + | Step-9: ip_local_delivery() | ||
| + | |||
| + | again the LOCAL_IN Netfilter for decapsulated packet | ||
| + | |||
| + | now the protocol field will be TCP/UDP and the packet flows in the native reception methods of TCP/UDP and delivers to the socket | ||
| + | |||
| + | Step-10: transport_layer_rcvmsg() | ||
| + | |||
| + | -to userspace | ||
| </ | </ | ||
mywiki/linux/ipsec.1449722691.txt.gz · Last modified: (external edit)