table of Contents
strongwan sa analysis (c)
Author:caotong
Date:2019-01-02
Version:1.0
xfrm and strongswan kernel interface analysis
1. strongswan implementation
Below, business scenarios can be divided into two categories:
- Interactive class issued by the packet or the main trigger action to trigger the user configuration.
- Interactive news watcher class consists of listening socket, then triggered.
2. interaction mechanism
2.1 next message
Message name | Function Definition |
---|---|
XFRM_MSG_ALLOCSPI | Acquiring SPI |
XFRM_MSG_NEWSA | Shindachi SA |
XFRM_MSG_UPDSA | Update SA |
XFRM_MSG_GETSA | Gets SA |
XFRM_MSG_DELSA | Delete SA |
XFRM_MSG_FLUSHSA | Clear SA |
XFRM_MSG_GETSPDINFO | SPD obtain information |
XFRM_MSG_NEWPOLICY | New Security Policy |
XFRM_MSG_UPDPOLICY | Update security policy |
XFRM_MSG_GETPOLICY | Obtaining security policy |
XFRM_MSG_DELPOLICY | Delete Security Policy |
XFRM_MSG_FLUSHPOLICY | Clear security policy |
Receiving messages 2.2
Message name | Function Definition |
---|---|
XFRM_MSG_ACQUIRE | ??? |
XFRM_MSG_EXPIRE | CHILD_SA timeout |
XFRM_MSG_MIGRATE | CHILD_SA live migration |
XFRM_MSG_MAPPING | NAT port relations change |
POLICY have the same timeout mechanism CHILD_SA, strongswa that did not process the message.
Message type: XFRM_MSG_POLEXPIRE. The same sub-HARD and SOFT.
4. xfrm realize the message communication
It focuses on the process of two messages: EXPIRE, ACQUIRE.
4.1 EXPIRE
Source file:
linux.git/net/xfrm/xfrm_user.c
The key message processing function
static struct xfrm_mgr netlink_mgr = {
.id = "netlink",
.notify = xfrm_send_state_notify,
.acquire = xfrm_send_acquire,
.compile_policy = xfrm_compile_policy,
.notify_policy = xfrm_send_policy_notify,
.report = xfrm_send_report,
.migrate = xfrm_send_migrate,
.new_mapping = xfrm_send_mapping,
};
policy timeout is triggered by a timer:
xfrm_policy.c::xfrm_policy_timer()
The timeout SA
1. timer trigger
Divided into hard and soft two trigger logic
xfrm_state.c::xfrm_timer_handler()
2. The number of bytes and packets trigger
The same is divided into hard and soft two trigger logic.
Logic code implemented:
xfrm_state.c::xfrm_state_check_expire()
Checking the input and output of data packets in two places:
xfrm_input.c::xfrm_input()
xfrm_output.c::xfrm_output_one()
4.2 ACQUIRE
Currently not get to know, in the end is doing.
xfrm_state.c::xfrm_state_find()
xfrm_state.c::km_query()