Hi Muhammad, On 110601 at 08:30, Muhammad Nasir Mumtaz Bhutta wrote: > is there any good starting point for linux kernel implementation of > IPSec...
I recently implemented an extension to make IPsec VPNs resilient against covert channel exploitation(not only TFC by randomization). We have a paper in submission, but I can send some code snippets to get you started. The Linux source code is the best and almost only documentation I found. Linux implements IPsec in the XFRM subsystem, as a configurable set of transformation protocols(ESP,AH,IP-Tunnel,...) on packets. The IPsec SA is then represented as a set of function pointers to these protocols. There is some documentation on programming(configuring) XFRM from userspace but I found no documentation on the actual design on kernel-side. :-/ However, if you can implement your modification as an IPsec protocol or a modification of the existing ESP/AH, you are kind of lucky. This is not very hard to implement and you can use net/ipv4/esp.c as an example. In struct xfrm_type you can define function pointers for input and output functions, these are called for each ingress and egress packet, respectively. To activate the protocol you have to make it available through the XFRM configuration layer, but this is mostly copy&paste. I advice to use the 'ip' util from iproute2 as a userspace configuration client. The packets are held in struct sk_buff, which is complex but reasonably documented: http://www.skbuff.net/ /steffen _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
