strongSwan has the ability to install a kernel trap, so that when a packet is sent to a particular host, on the fly an SA is created and brought up, and then the packet is transformed via that SA.
I'd like to know more about this. My goal is to prototype an opportunistic encryption feature for strongSwan, to extend this feature even to hosts which don't have a set SA in the conf file, but where the SA parameters are discovered on the fly (perhaps via DNSSEC, perhaps via another means). 1. Can you give a high level overview of how this trap works? 2. Which mechanism in the Linux kernel does it use? 3. Where is the relevant strongSwan source code for it? 4. I assume the kernel must cache the packet while the SA is being set up and charon is keying it. Is there a time limit here before timeout? Or, since nothing has gone on the wire yet, do we have as much time as we need? My goal is to create code which uses a similar trap to discover the appropriate parameters (eg via DNSSEC). Once I have them, what is the best API to pass them to charon to do the keying? And, once charon has done the keying, how can I tell strongSwan to take it from there? _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
