SGH_WIKI

User Tools

Site Tools

Trace: tcp checksum skb ipsec
mywiki:linux:ipsec

This is an old revision of the document!

Table of Contents

IPSec Implementation in Linux

IPSEC Basic

Security Scheme Difference
IPSEC Security scheme operating in the Internet Layer of the Internet Protocol Suite
TLS/SSH Security scheme operating in the upper layers of the TCP/IP model, like transport layer
IPSEC Protocol Note
AH (Authentication Header) provides source authentication & data integrity for IP datagrams. But it is not designed to provide confidentiality.
ESP(Encapsulating Security Payload) provides source authentication, data integrity, and confidentiality.
IPSEC Mode Protocol Note
Transport AH only the payload of the IP packet is usually authenticated
ESP only the payload of the IP packet is usually encrypted and/or authenticated
Tunnel Mode AH the entire IP packet is authenticated
ESP the entire IP packet is encrypted and/or authenticated

Terms

SP(Security policy) a rule which decides whether a given flow needs to go for IPSec processing or not
SA(Security Association) a bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. IPsec uses the Security Parameter Index (SPI: an index to the security association database - SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet.

Limux Implementation

XFRM_MSG_NEWSA To add a new SA to SAD
XFRM_MSG_DELSA To delete a new SA to SAD
XFRM_MSG_GETSA To get a new SA to SAD
XFRM_MSG_FLUSHSA To flush SAD
XFRM_MSG_NEWPOLICY To add a new policy to SPD
XFRM_MSG_DELPOLICY To delete a new policy to SPD
XFRM_MSG_GETPOLICY To get a new policy to SPD
XFRM_MSG_FLUSHPOLICY To flush SPD

IPSec framework in kernel

ESP Protocol net/ipv4/esp4.c, net/ipv6/esp6.c
AH Protocol net/ipv4/ah4.c, net/ipv6/ah6.c
XFRM framework net/ipv4/xfrm4_policy.c and net/ipv6/xfrm6_policy.c
XFRM initialization xfrm4_init() and xfrm6_init().

Kernel cryptography

acrypto asynchronous crypto
cryptd
pcrypto for multicore environment

Algo: DES, 3DES, AES, RC5, IDEA, 3-IDEA, CAST, BLOWFISH etc…

two IPSec stacks:

native netkey stack syncronous
traditional KLIPS stack asynchronous

To start with, the core object of xfrm is the 'xfrm' member of 'struct net'. i.e each network namespace has got a separate xfrm object. This object will be reffered to access the hash tables (remeber hash tables :) ) of SPD and SAD. Also holds the state garbage collector (state_gc_work)

Data structures 

The building block of SPD (Policy Database) is struct xfrm_policy.

/* ################################################# */

struct xfrm_policy {

#ifdef CONFIG_NET_NS
                struct net                            *xp_net;
#endif
                struct hlist_node              bydst;
                struct hlist_node              byidx;
                /* This lock only affects elements except for entry. */
                rwlock_t                              lock;
                atomic_t                              refcnt;
                struct timer_list                timer;
                struct flow_cache_object flo;
                atomic_t                              genid;
                u32                                         priority;
                u32                                         index;
                struct xfrm_mark             mark;
                struct xfrm_selector       selector;
                struct xfrm_lifetime_cfg lft;
                struct xfrm_lifetime_cur curlft;
                struct xfrm_policy_walk_entry walk;
                struct xfrm_policy_queue polq;
                u8                                           type;
                u8                                           action;
                u8                                           flags;
                u8                                           xfrm_nr;
                u16                                         family;
                struct xfrm_sec_ctx        *security;
                struct xfrm_tmpl              xfrm_vec[XFRM_MAX_DEPTH];
};




Important Fields:

                                - refcnt is to hold the reference to the policy.

                                - which embedded xfrm_selector object to hold the source and destination IP addresses, source and destination ports, protocol, interface index etc. xfrm_selector_match() API checks if the given packet matches with the XFRM selector.

                                - lft:  is the policy lifetime

                                - timer: to handle the policy expiry

                                - polq: is a queue to push the packets when there are no states associated with this policy.

                                - action: this field decides the fate of the traffic. (XFRM_POLICY_ALLOW and XFRM_POLICY_BLOCK)

                                - family (v4 or v6, as mentioned this structure is common for all protocols)
mywiki/linux/ipsec.1449722640.txt.gz · Last modified: (external edit)