[IPSec] [strongswan] strongswan source analysis - (iii) Analysis xfrm kernel interface with strongswan

Others 2019-09-01 16:26:05 views: null

table of Contents

strongwan sa analysis (c)

Author:caotong
Date:2019-01-02
Version:1.0

xfrm and strongswan kernel interface analysis

1. strongswan implementation

Below, business scenarios can be divided into two categories:

  1. Interactive class issued by the packet or the main trigger action to trigger the user configuration.
  2. Interactive news watcher class consists of listening socket, then triggered.

netlink_plugin.png

2. interaction mechanism

2.1 next message

Message name Function Definition
XFRM_MSG_ALLOCSPI Acquiring SPI
XFRM_MSG_NEWSA Shindachi SA
XFRM_MSG_UPDSA Update SA
XFRM_MSG_GETSA Gets SA
XFRM_MSG_DELSA Delete SA
XFRM_MSG_FLUSHSA Clear SA
XFRM_MSG_GETSPDINFO SPD obtain information
XFRM_MSG_NEWPOLICY New Security Policy
XFRM_MSG_UPDPOLICY Update security policy
XFRM_MSG_GETPOLICY Obtaining security policy
XFRM_MSG_DELPOLICY Delete Security Policy
XFRM_MSG_FLUSHPOLICY Clear security policy

Receiving messages 2.2

Message name Function Definition
XFRM_MSG_ACQUIRE ???
XFRM_MSG_EXPIRE CHILD_SA timeout
XFRM_MSG_MIGRATE CHILD_SA live migration
XFRM_MSG_MAPPING NAT port relations change

POLICY have the same timeout mechanism CHILD_SA, strongswa that did not process the message.
Message type: XFRM_MSG_POLEXPIRE. The same sub-HARD and SOFT.

4. xfrm realize the message communication

It focuses on the process of two messages: EXPIRE, ACQUIRE.

4.1 EXPIRE

Source file:

linux.git/net/xfrm/xfrm_user.c

The key message processing function

static struct xfrm_mgr netlink_mgr = {
    .id     = "netlink",
    .notify     = xfrm_send_state_notify,
    .acquire    = xfrm_send_acquire,
    .compile_policy = xfrm_compile_policy,
    .notify_policy  = xfrm_send_policy_notify,
    .report     = xfrm_send_report,
    .migrate    = xfrm_send_migrate,
    .new_mapping    = xfrm_send_mapping,
};

policy timeout is triggered by a timer:

xfrm_policy.c::xfrm_policy_timer()

The timeout SA

1. timer trigger

Divided into hard and soft two trigger logic

xfrm_state.c::xfrm_timer_handler()
2. The number of bytes and packets trigger

The same is divided into hard and soft two trigger logic.
Logic code implemented:

xfrm_state.c::xfrm_state_check_expire()

Checking the input and output of data packets in two places:

xfrm_input.c::xfrm_input()
xfrm_output.c::xfrm_output_one()

4.2 ACQUIRE

Currently not get to know, in the end is doing.

xfrm_state.c::xfrm_state_find()
xfrm_state.c::km_query()

Guess you like

Origin www.cnblogs.com/hugetong/p/11143374.html
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com