Chris, Strongswan is just IKE control plane and it uses netkey ipsec implementation in the native linux kernel for datapath where ESP encryption/decryption happens. Now regarding IPSec packet processing, security association and security policy use xfrm architecture. IPSec SP which is represented as xfrm_policy structure will be bound to the routing flow cache and IPSec SA which is represented by xfrm_state structure is included in destination cache dst_entry structure. This structure is chained to form IPSec SA bundle. IPSec Packet output processing: The output part of XFRM architecture is placed between the IP layer and the network driver layer. In general non-ipsec packet will be passed to the network driver layer by a single destination output function. However packets needing IPSec packet processing are processed by xfrm functions which perform ESP, AH processing on them. xfrm functions make a chain of destination output functions which is called stackable destination. Each function shall match IPSec processing like AH, ESP, IPCOMP. To be more specific, in order to pass a packet to network driver layer following steps need to be followed: 1) Lookup routing table to decide output function by ip6_route_output( ) 2) Lookup IPSec security policy 3) Lookup IPSec SA suitable for IPSec Security policy and destination chain is created 4) To apply IPSec, packet is passed to the destination chain.
Here is the output flow: ip6_dst_lookup( ) -----> ip6_route_output( ) ------> xfrm_lookup( ) ------> flow_cache_lookup( ) ------> xfrm_policy_lookup( ) -------> xfrm_tmpl_resolve( ) ----> xfrm_bundle_create ----------> ip6_xmit( ) -------> dst_output( ) (which calls destination output chain ) IPSec Packet Input processing IPSec packet processing for input is in ip6_input_finsh( ), where it uses inet6_protos hash table to retrieve xfrm_rcv structure from the protocol number. xfrm_rcv has functions registered to do input packet processing like ESP decryption and AH processing. Eventually, decrypted packet is checked against xfrm6_pollicy_check( ) to ensure . Hope that helps. Regards, Nagaraj On Sun, Jul 15, 2012 at 3:00 AM, <[email protected]> wrote: > Send Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Users digest..." > > > Today's Topics: > > 1. Path of Execution (Chris Rogers) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 14 Jul 2012 14:04:30 -0400 > From: Chris Rogers <[email protected]> > Subject: [strongSwan] Path of Execution > To: [email protected] > Message-ID: > <cac4yorjutrjnfepuu_ayctgmrxpkrb4qkd7ttvlhf_szk9d...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > All, > > So over the past few weeks, I've been perusing through the StrongSwan > source, trying to get a better understanding of how a packet actually gets > encrypted, and then transmitted. I'm still working in a *BSD environment, > and it would help me greatly if someone could shed light on the following: > > - What libraries are called first to initiate encryption? > - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel, but > where are the calls to kernel level encryption functions? > > As of now, I'm only concerned with ESP. Thanks for the help. > > Chris > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.strongswan.org/pipermail/users/attachments/20120714/e38b0461/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > > End of Users Digest, Vol 30, Issue 24 > ************************************* _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
