> then do child rekeying key exchange using another secure channel > (provided by an external device, for example QKD device).
I see. > That' s why I need access to PF_KEY, to intercept the expire message > from kernel, do the new key exchange through external secure channel > and then send back to kernel new key to update SADB. Probably it is better to do your custom rekeying at a higher level in charon. Otherwise the state in the SAD wouldn't match to the state in the IKE daemon. Expire messages trigger a rekey job, and this job finally calls rekey_child_sa() on the IKE_SA [1]. Instead of queueing the child_rekey task, you can do your own rekey procedure. This procedure basically would set up a new child_sa_t, using its alloc_spi(), install() and add_policies() methods with your negotiated key material and other parameters. Once you have negotiated the new CHILD_SA, you can delete the old, completing the rekeying. > Do you think it would be possible to do it with a plugin or I should > change charon? Our plugin interfaces are not sufficient to hook in your own rekeying handler, you'll have to extend charon itself. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ike_sa.c;h=a13a7a3b;hb=HEAD#l1343 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
