Nagaraj, For the output flow you explained, what debug level can be raised to see how this all is happening if one is interested.
Thanks for the great explanation. Regards, -sanjay ----------------------------------------------------- Please consider the environment before printing this email. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of nagaraj Sent: Monday, July 16, 2012 1:48 AM To: [email protected] Subject: Re: [strongSwan] Users Digest, Vol 30, Issue 24 Chris, Strongswan is just IKE control plane and it uses netkey ipsec implementation in the native linux kernel for datapath where ESP encryption/decryption happens. Now regarding IPSec packet processing, security association and security policy use xfrm architecture. IPSec SP which is represented as xfrm_policy structure will be bound to the routing flow cache and IPSec SA which is represented by xfrm_state structure is included in destination cache dst_entry structure. This structure is chained to form IPSec SA bundle. IPSec Packet output processing: The output part of XFRM architecture is placed between the IP layer and the network driver layer. In general non-ipsec packet will be passed to the network driver layer by a single destination output function. However packets needing IPSec packet processing are processed by xfrm functions which perform ESP, AH processing on them. xfrm functions make a chain of destination output functions which is called stackable destination. Each function shall match IPSec processing like AH, ESP, IPCOMP. To be more specific, in order to pass a packet to network driver layer following steps need to be followed: 1) Lookup routing table to decide output function by ip6_route_output( ) 2) Lookup IPSec security policy 3) Lookup IPSec SA suitable for IPSec Security policy and destination chain is created 4) To apply IPSec, packet is passed to the destination chain. Here is the output flow: ip6_dst_lookup( ) -----> ip6_route_output( ) ------> xfrm_lookup( ) ------> flow_cache_lookup( ) ------> xfrm_policy_lookup( ) -------> xfrm_tmpl_resolve( ) ----> xfrm_bundle_create ----------> ip6_xmit( ) -------> dst_output( ) (which calls destination output chain ) IPSec Packet Input processing IPSec packet processing for input is in ip6_input_finsh( ), where it uses inet6_protos hash table to retrieve xfrm_rcv structure from the protocol number. xfrm_rcv has functions registered to do input packet processing like ESP decryption and AH processing. Eventually, decrypted packet is checked against xfrm6_pollicy_check( ) to ensure . Hope that helps. Regards, Nagaraj On Sun, Jul 15, 2012 at 3:00 AM, <[email protected]> wrote: > Send Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Users digest..." > > > Today's Topics: > > 1. Path of Execution (Chris Rogers) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 14 Jul 2012 14:04:30 -0400 > From: Chris Rogers <[email protected]> > Subject: [strongSwan] Path of Execution > To: [email protected] > Message-ID: > > <cac4yorjutrjnfepuu_ayctgmrxpkrb4qkd7ttvlhf_szk9d...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > All, > > So over the past few weeks, I've been perusing through the StrongSwan > source, trying to get a better understanding of how a packet actually > gets encrypted, and then transmitted. I'm still working in a *BSD > environment, and it would help me greatly if someone could shed light on the > following: > > - What libraries are called first to initiate encryption? > - In BSD, Kernel-Pfkey is responsible for interfacing with the kernel, > but where are the calls to kernel level encryption functions? > > As of now, I'm only concerned with ESP. Thanks for the help. > > Chris > -------------- next part -------------- An HTML attachment was > scrubbed... > URL: > http://lists.strongswan.org/pipermail/users/attachments/20120714/e38b0 > 461/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > > End of Users Digest, Vol 30, Issue 24 > ************************************* _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
