SGH_WIKI

User Tools

Site Tools

Trace:
mywiki:linux:ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
mywiki:linux:ipsec [2015/12/10 12:49] – [Kernel cryptography] supermywiki:linux:ipsec [2019/09/15 18:55] (current) – external edit 127.0.0.1
Line 1: Line 1:
 **IPSec Implementation in Linux** **IPSec Implementation in Linux**
 +
 +| Reference | {{:mywiki:linux:chapter10_ipsec.pdf| ipsec_xfrm }} |
  
 ====== IPSEC Basic ====== ====== IPSEC Basic ======
Line 36: Line 38:
 | XFRM framework | net/ipv4/xfrm4_policy.c and net/ipv6/xfrm6_policy.c | | XFRM framework | net/ipv4/xfrm4_policy.c and net/ipv6/xfrm6_policy.c |
 | XFRM initialization | xfrm4_init() and xfrm6_init(). | | XFRM initialization | xfrm4_init() and xfrm6_init(). |
 +
 +
 +===== Kernel Terms =====
 +| aalg | **Authentication** algo pointer |
 +| ealg | **Encryption** algo pointer |
 +| calg | **Compression** algo pointer |
 +| aead | **Authentication Encryption** with Associated Data pointer | Note: if (aead == NULL); then only authentication without any encryption |
 +| encap | Data for **encapsulator**, ie, for **special UDP** Encapsulation only | draft-ietf-ipsec-udp-encaps-06 |
  
  
 ===== Kernel cryptography ===== ===== Kernel cryptography =====
 +
 | acrypto | asynchronous crypto | | acrypto | asynchronous crypto |
 | cryptd |  | cryptd | 
Line 231: Line 242:
 | xfrm_state_lookup() | SAD lookup based on spi | | xfrm_state_lookup() | SAD lookup based on spi |
  
 +===== IPSec SA initialize =====
 +It is initialized by API: **static int esp_init_state(struct xfrm_state *x)**, which is defined in file:
 +  * net/ipv4/esp4.c
 +  * net/ipv6/esp6.c
 +===== IPSec Tx steps =====
 +<file>
 +For better understanding I have divided the IPSec transmission process in 7 stepes as below
 +
 +Step-1: Transport_layer_sendmsg() 
 +
 +Does TCP/UDP specific jobs are done here before going for route lookup
 +
 +Step-2: ip_route_output_slow() 
 +
 +Xfrm_lookup()
 +
 +Step-3: ip_local_output()
 +
 +Step-4: ip_local_out()
 +
 + LOCAL_OUT netfilter applies here.
 +
 +Calls skb->dst->output(), which is xfrm4_output in case of ipv4 and xfrm6_output in the case of ipv6
 +
 +Step-5: xfrm4_output/xfrm6_output
 +
 +Step-6: esp_output()/ah_output()
 +
 +Step-7: ip_output()
 +
 +Step-8: dev_queue_xmit()
 +
 +Egress QoS comes here.
 +
 +Step-9: dev->ndo_start_xmit() 
 +</file>
 +===== IPSec Rx steps =====
 +<file>
 +For better understanding I have divided the IPSec reception process in 7 stepes, they are below
 +
 +Step-1: netif_receive_skb()
 +
 +Step-2: ip_rcv()
 +
 +Netfilter PRE_ROUTING applies here.
 +
 +Step-3: ip_receive_finish
 +
 +Calls ip_route_input_noref(). Which finds the route entry and set dst->output for local delivery, forwarding etc. But IPSec applies on the end systems ONLY. So we bothr if it is set for local delivery
 +
 +Step-4: ip_local_deliver
 +
 +LOCAL_IN Netfilter part here.
 +
 +Step-5: ip_local_deliver_finish()
 +
 +Based on the protocol field of  ip header (IPPROTO_AH, IPPROTO_ESP),  packet will be given to xfrm4_rcv() function
 +
 +Step-6:  xfrm4_rcv()
 +
 +Step-7: xfrm_input()
 +
 +Calls xfrm_state_lookup()
 +
 +calls esp_input()/ah_input()
 +
 +Once again applies the PRE_ROUTING Netfilter, but now  for the decapsulated packet
 +
 +Step-8: xfrm4_rcv_encap_finish()
 +
 +Will do the route lookup again for the decapsulated packet using ip_route_input_noref(). Again route lookup should decide for local_delivery.
 +
 +Step-9: ip_local_delivery()
 +
 +again the LOCAL_IN Netfilter for decapsulated packet
 +
 +now the protocol field will be TCP/UDP and the packet flows in the native reception methods of TCP/UDP and delivers to the socket
 +
 +Step-10: transport_layer_rcvmsg()
 +
 +-to userspace
 +</file>
mywiki/linux/ipsec.1449722957.txt.gz · Last modified: (external edit)