2011年12月16日 星期五

Linux XFRM and IPSec

xfrm_policy
xfrm_state
xfrm_templ


IPsec overview | The Linux Foundation
http://www.linuxfoundation.org/collaborate/workgroups/networking/ipsec-overview

Adding policies and states from user space:
Handling addition of policies is done by:
xfrm_add_policy() ( net/xfrm/xfrm_user.c)
Handling addition of statees is done by:
xfrm_add_sa() ( net/xfrm/xfrm_user.c)
Handling creation of spi (using randomness) is done by
xfrm_alloc_userspi() ( net/xfrm/xfrm_user.c)
Diagam:
xfrm_lookup() invocation:


Linux Kernel Security Overview
http://namei.org/presentations/linux-kernel-security-kca09.pdf

Linux Kernel Networking
http://haifux.org/lectures/172/netLec.pdf
network_overview | The Linux Foundation
http://www.linuxfoundation.org/collaborate/workgroups/networking/networkoverview

Research on IPSec VPN Under Framework of XFRM Based on Linux
http://www.ecice06.com/CN/article/downloadArticleFile.do?attachType=PDF&id=13199
xfrm_policy{}表示IPSec SP,xfrm_state{}表示IPSec SA ;xfrm_state{}通过xfrm_templ{}和xfrm_ policy{}关联;SPD由xfrm_policy{}结构链组成,SAD由xfrm_state{}结构链组成。


Does Linux support AES-GCM and AES-GMAC???
http://permalink.gmane.org/gmane.network.ipsec.tools.devel/1631
- To IPsec SA identifier, RFC 4106 says:
8.3. Phase 2 Identifier

For IKE Phase 2 negotiations, IANA has assigned three ESP Transform
Identifiers for AES-GCM with an eight-byte explicit IV:

18 for AES-GCM with an 8 octet ICV;
19 for AES-GCM with a 12 octet ICV; and
20 for AES-GCM with a 16 octet ICV.

- To PF_KEY cipher type:

Linux pfkeyv2 seems to have:
#define SADB_X_EALG_AES_GCM_ICV8 18
#define SADB_X_EALG_AES_GCM_ICV12 19
#define SADB_X_EALG_AES_GCM_ICV16 20

沒有留言: