2006-03-21 10:10:56 +00:00
|
|
|
strongSwans overall design
|
|
|
|
============================
|
|
|
|
|
|
|
|
IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
|
|
|
|
completely handled in pluto, as it was all the times. IKEv2 is handled in the
|
|
|
|
new keying daemon, which is called charon.
|
2006-03-30 07:22:01 +00:00
|
|
|
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
|
|
|
|
Charon uses another socket interface, called stroke. Stroke uses another
|
2006-03-21 10:10:56 +00:00
|
|
|
format as whack and therefore is not compatible to whack. The starter utility,
|
|
|
|
wich does fast configuration parsing, speaks both the protocols, whack and
|
|
|
|
stroke. It also handles daemon startup and termination.
|
2006-04-04 12:45:29 +00:00
|
|
|
Pluto uses starter for some commands, for other it uses the whack utility. To be
|
2006-03-21 10:10:56 +00:00
|
|
|
as close to pluto as possible, charon has the same split up of commands to
|
|
|
|
starter and stroke. All commands are wrapped together in the ipsec script, which
|
|
|
|
allows transparent control of both daemons.
|
|
|
|
|
|
|
|
+-----------------------------------------+
|
2006-04-04 12:45:29 +00:00
|
|
|
| ipsec |
|
2006-03-21 10:10:56 +00:00
|
|
|
+-----+--------------+---------------+----+
|
2006-04-04 12:45:29 +00:00
|
|
|
| | |
|
|
|
|
| | |
|
|
|
|
| +-----+-----+ |
|
|
|
|
+-----+----+ | | +-----+----+
|
|
|
|
| | | starter | | |
|
|
|
|
| stroke | | | | whack |
|
|
|
|
| | +---+--+----+ | |
|
|
|
|
+------+---+ | | +--+-------+
|
|
|
|
| | | |
|
|
|
|
+---+------+ | | +------+--+
|
|
|
|
| | | | | |
|
|
|
|
| charon +----+ +----+ pluto |
|
|
|
|
| | | |
|
2006-03-21 10:10:56 +00:00
|
|
|
+-----+----+ +----+----+
|
2006-04-04 12:45:29 +00:00
|
|
|
| |
|
|
|
|
+-----+----+ |
|
|
|
|
| LSF | |
|
|
|
|
+-----+----+ |
|
|
|
|
| |
|
2006-03-21 10:10:56 +00:00
|
|
|
+-----+----+ +----+----+
|
2006-04-04 12:45:29 +00:00
|
|
|
| RAW Sock | | UDP/500 |
|
2006-03-21 10:10:56 +00:00
|
|
|
+----------+ +---------+
|
|
|
|
|
|
|
|
Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
|
|
|
|
500. Under Linux, there is no clean way to set up two sockets at the same port.
|
|
|
|
To reslove this problem, charon uses a RAW socket, as they are used in network
|
|
|
|
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
|
|
|
|
traffic. Pluto receives any IKE message, independant of charons behavior.
|
|
|
|
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
|
|
|
|
|
|
|
|
|
|
|
|
IKEv2 keying daemon: charon
|
|
|
|
=============================
|
|
|
|
|
2006-03-23 15:25:43 +00:00
|
|
|
Threading modell
|
|
|
|
------------------
|
|
|
|
|
2006-03-21 10:10:56 +00:00
|
|
|
All IKEv2 stuff is handled in charon. It uses a newer and more flexible
|
|
|
|
architecture than pluto. Charon uses a thread-pool, which allows parallel
|
|
|
|
execution SA-management. Beside the thread-pool, there are some special purpose
|
|
|
|
threads which do their job for the common health of the daemon.
|
|
|
|
|
|
|
|
+------+
|
2006-04-04 12:45:29 +00:00
|
|
|
| E Q |
|
|
|
|
| v u |---+ +------+ +------+
|
|
|
|
| e e | | | | | IKE- |
|
|
|
|
| n u | +-----------+ | |--| SA |
|
|
|
|
| t e | | | | I M | +------+
|
|
|
|
+------------+ | - | | Scheduler | | K a |
|
|
|
|
| receiver | +------+ | | | E n | +------+
|
|
|
|
+----+-------+ +-----------+ | - a | | IKE- |
|
|
|
|
| | +------+ | | S g |--| SA |
|
|
|
|
+-------+--+ +-----| J Q |---+ +------------+ | A e | +------+
|
|
|
|
-| socket | | o u | | | | - r |
|
|
|
|
+-------+--+ | b e | | Thread- | | |
|
|
|
|
| | - u | | Pool | | |
|
|
|
|
+----+-------+ | e |------| |---| |
|
|
|
|
| sender | +------+ +------------+ +------+
|
2006-03-21 10:10:56 +00:00
|
|
|
+----+-------+
|
2006-04-04 12:45:29 +00:00
|
|
|
| +------+
|
|
|
|
| | S Q |
|
|
|
|
| | e u |
|
|
|
|
| | n e |
|
|
|
|
+------------| d u |
|
|
|
|
| - e |
|
2006-03-23 15:25:43 +00:00
|
|
|
+--+---+
|
2006-03-21 10:10:56 +00:00
|
|
|
|
|
|
|
The thread-pool is the heart of the architecture. It processes jobs from a
|
|
|
|
(fully synchronized) job-queue. Mostly, a job is associated with a specific
|
|
|
|
IKE SA. These IKE SAs are synchronized, only one thread can work one an IKE SA.
|
|
|
|
This makes it unnecesary to use further synchronisation methods once a IKE SA
|
|
|
|
is checked out. The (rather complex) synchronization of IKE SAs is completely
|
2006-03-23 15:25:43 +00:00
|
|
|
done in the IKE SA manager.
|
2006-03-21 10:10:56 +00:00
|
|
|
The sceduler is responsible for event firing. It waits until a event in the
|
|
|
|
(fully synchronized) event-queue is ready for processing and pushes the event
|
|
|
|
down to the job-queue. A thread form the pool will pick it up as quick as
|
|
|
|
possible. Every thread can queue events or jobs. Furter, an event can place a
|
|
|
|
packet in the send-queue. The sender thread waits for those packets and sends
|
|
|
|
them over the wire, via the socket. The receiver does exactly the opposite of
|
|
|
|
the sender. It waits on the socket, reads in packets an places them on the
|
|
|
|
job-queue for further processing by a thread from the pool.
|
|
|
|
There are even more threads, not drawn in the upper scheme. The stroke thread
|
|
|
|
is responsible for reading and processessing commands from another process. The
|
|
|
|
kernel interface thread handles communication from and to the kernel via a
|
|
|
|
netlink socket. It waits for kernel events and processes them appropriately.
|
2006-03-23 15:25:43 +00:00
|
|
|
|
|
|
|
|
|
|
|
configuration backends
|
|
|
|
------------------------
|
|
|
|
|
2006-03-21 10:10:56 +00:00
|
|
|
The configuration architecture for charon is complex, but is flexible and
|
|
|
|
extensible. All configuration stuff is split up in multiple parts:
|
|
|
|
|
|
|
|
connection Defines a connection between two hosts. Proposals define with
|
|
|
|
wich algorithms a IKE SA should be set up.
|
|
|
|
policy Defines the rules to apply ontop of a connection. A policy is
|
|
|
|
defined between two IDs. Proposals and traffic selectors allow
|
|
|
|
fine grained configuration of the CHILD SAs (AH and ESP) to set
|
|
|
|
up.
|
2006-03-23 15:25:43 +00:00
|
|
|
credential A credential is something used for authentication, such as a
|
2006-03-21 10:10:56 +00:00
|
|
|
preshared key, a RSA private or public key, certificate, ...
|
|
|
|
configuration The configuration itself handles daemon related configuration
|
|
|
|
stuff, such as interface binding or logging settings.
|
|
|
|
|
|
|
|
These configuration types are defined as interfaces, and are currently
|
2006-03-23 15:25:43 +00:00
|
|
|
implemented only in the stroke class. Through the modular design, parts could be
|
2006-03-21 10:10:56 +00:00
|
|
|
replaced with more powerful backends, such as a RADIUS server for the
|
|
|
|
credentials, a SQL database for the connections, policy definitions on an LDAP
|
2006-03-23 15:25:43 +00:00
|
|
|
server, and so on...
|