IPsec overview by Rami Rosen

IPSec overview by Rami Rosen

Rami Rosen website

You can find some more info about IPSec here: networkoverview

IPSec operates in layer 3. IPSec is mandatory in IPv6 and optional in IPv4. Linux implements also IPSec in IPv6.

 

ip xfrm policy or ip xfrm policy show  - shows IPsec policies.

ip xfrm state orip xfrm state show  - shows IPsec states.

ip xfrm monitor

These 3 methods open a NETLINK_XFRM socket, and send messages to the kernel from userspace. The handler for these messages is xfrm_netlink_rcv() in net/xfrm/xfrm_user.c ,which eventually calls xfrm_user_rcv_msg().

IPSec statistics:

cart /proc/net/xfrm_stat

important structures:

xfrm_policy struct.

action:

  • XFRM_POLICY_ALLOW - permit traffic.
  • XFRM_POLICY_BLOCK   - block traffic.

dir: (direction)

  • XFRM_POLICY_IN
  • XFRM_POLICY_OUT
  • XFRM_POLICY_FWD

flags:

  • XFRM_POLICY_LOCALOK
  • XFRM_POLICY_ICMP

xfrm_state struct: represents IPSec SA.

    xfrm_state includes inside a structure called "props" which describes properties

of the sate.

  • mode can be
    • XFRM_MODE_TRANSPORT for transport (when type=transport in /etc/ipsec.conf when working with openswan)
    • XFRM_MODE_TUNNEL for tunnels.(when type=tunnel in /etc/ipsec.conf when working with openswan)
    • XFRM_MODE_ROUTEOPTIMIZATION - less in common use.
    • XFRM_MODE_IN_TRIGGER                - less in common use.
    • XFRM_MODE_BEET                            - less in common use.

struct xfrm_type

In ipv4:

  • ah_type         AH protocol       (net/ipv4/ah4.c)
  • esp_type       ESP protocol     (net/ipv4/esp4.c)
  • ipcomp_type COMP protocol  (net/ipv4/ipcomp.c)
  • ipip_type        IPIP protocol     (net/ipv4/xfrm4_tunnel.c)

In ipv6:

  • ah6_type
  • esp6_type
  • ipcomp6_type
  • mip6_destopt_type
  • xfrm6_tunnel_type

struct xfrm_mode

In ipv4:

  • xfrm4_tunnel_mode
  • xfrm4_transport_mode
  • xfrm4_beet_mode

In ipv6:

  • xfrm6_tunnel_mode
  • xfrm6_transport_mode
  • xfrm6_beet_mode
  • xfrm6_ro_mode

Adding policies and states from user space:

Handling addition of policies is done by:

xfrm_add_policy() ( net/xfrm/xfrm_user.c)

Handling addition of statees is done by:

xfrm_add_sa() ( net/xfrm/xfrm_user.c)

Handling creation of spi (using randomness) is done by

xfrm_alloc_userspi() ( net/xfrm/xfrm_user.c)

 Diagam:

xfrm_lookup() invocation:

xfrm_lookup(() and its invocation

As said before, ip xfrm policy show, ip xfrm state show, and ip xfrm monitor open NETLINK_XFRM socket, and send messages to the kernel from userspace. The handler for these messages is xfrm_netlink_rcv() in /net/xfrm/xfrm_user.c, which eventually calls xfrm_user_rcv_msg().

The messages can be:

XFRM_MSG_NEWSA

 XFRM_MSG_DELSA

 XFRM_MSG_GETSA                              

 XFRM_MSG_NEWPOLICY  

XFRM_MSG_DELPOLICY  

XFRM_MSG_GETPOLICY 
                 
XFRM_MSG_ALLOCSPI  
XFRM_MSG_ACQUIRE   
XFRM_MSG_EXPIRE    
XFRM_MSG_UPDPOLICY 
XFRM_MSG_UPDSA     
XFRM_MSG_POLEXPIRE 
XFRM_MSG_FLUSHSA   
XFRM_MSG_FLUSHPOLICY
XFRM_MSG_NEWAE     
XFRM_MSG_GETAE     
XFRM_MSG_MIGRATE   
XFRM_MSG_GETSADINFO
XFRM_MSG_GETSPDINFO
 

 

openswan

- open source projet which supports IPsec VPNs.

openswan supports IPv4 and IPV6.

http://www.openswan.org/

strongswan is another projet which supports IPsec VPNs.

http://www.strongswan.org/

 

openswan was ported to MacOS.

 

 

 

Links:

articles:

Creating VPNs with IPsec and SSL/TLS:

http://www.linuxjournal.com/article/9916

IPv6 IPsec and Mobile IPv6 implementation of
Linux:

www.kernel.org/doc/ols/2004/ols2004v2-pages-85-94.pdf

 

RFC 2401

Security Architecture for the Internet Protocol

http://www.ietf.org/rfc/rfc2401.txt

 

 

Groups: