Hi
 
I'm relatively new to Linux, IPsec and this mailing list, so let me know if 
I've posted to the wrong list or if this mail is out-of-scope.
 
Background
----------
I'm looking to develop an application that will set up IPsec security 
associations (SAs) and policy on demand and then use those SAs to protect the 
packets that it sends out. This application doesn't use IKE, it's a proprietary 
system I'm working on.
 
In this system, there is no requirement to set up SAs as a result of policy 
demand. SAs and the policy that refers to them will be programmed at the same 
time, so when the policy-engine tries to find a suitable SA for a packet, one 
should always be available (or if not, the packet should be dropped).
 
I've been told that there are two alternative Linux Kernel implementations of 
IPsec (XFRM (native) or KLIPS (*S/WAN)).  I'm trying to understand whether 
either of these support my requirements already or if not, which one would be 
closest.
 
Requirements/Questions
----------------------
Multiple SAs need to be supported to a given endpoint (IP address).  The choice 
of SA (for outbound packets from the same application) is controlled by the 
transport level ports, so IPsec policy needs to be able to associate a specific 
SA with a particular flow (flow being src+dest IP address, transport protocol 
and ports).  
 
1.  Do either of the existing implementations already support this sort of 
policy?  
 
In an attempt to answer my own question, I've taken a look through the source 
code of the latest OpenSwan release (2.4.7).  It appears that this is supported 
through the SADB_X_EXT_ADDRESS_SRC_FLOW and SADB_X_EXT_ADDRESS_DST_FLOW 
PF_KEYv2 extensions.  These appear to extract the source/dest ports from the 
PF_KEY sadb_message and build them into the eroute tree.  Then I believe the 
lookup in ipsec_tunnel_SAlookup() should preferentially match eroute entries 
that having matching ports, addresses and protocol.  
 
2.  Can anyone confirm or deny my understanding here?

3.  I had previously thought of the PF_KEY interface as SA programming only.  
Associating an SA with a flow in this way seems to verge into policy.  Are 
there any corresponding policy changes I will need to make to get this to work? 
 

4.  Have I missed anything that would simplify this (such as a socket option 
that specifies the SA to use for packets sent over this socket)?
 
Any answers appreciated, even if it's an answer along the lines of "this isn't 
supported - you're on your own". 
 
Regards
 
Oli


      ___________________________________________________________ 
Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for
your free account today 
http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html 
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to