IPsec in the Linux Kernel

linux-kernel iproute2 ipsec

I have some issues (questions) related tot the Linux Kernel implementation of IPsec and it's user-space interface.

  1. The biggest question is which is the actual official project for the Linux Kernel IPsec implementation? From what I understood the implementation is a fork of the Kame project, but a friend said that this is not true. Which are their official website and repo ?
  2. Where in the Kernel Documentation source do I find some related notes?
  3. Which user-space frontend is it mostly used? ip-tools or the iproute2 package? Do these two have the same approach, or one of them has a bigger overhead?
  4. From what I've seen, tutorials for iproute2 IPsec transport mode relate to the "setkey" utility for loading the config file. Is "setkey" actually used for the iproute2 package, or I've been mislead ? Is "setkey" glued to "racoon" from ip-tools, or it's a general application for config loading? What does "setkey" actually do (I'm very confused about this) ?

  1. The IPsec stack integrated in the Linux kernel since 2.6 (NETKEY) was originally based on the KAME stack (at least in regards to the API). The source code is part of the kernel repository, where the main components are found in the net/xfrm folder, including the implementation of the Netlink/XFRM configuration interface. The alternative and standardized (but somewhat extended) PF_KEYv2 interface implementation is located in the net/key folder.
  2. There is not much documentation. But check the Documentation/networking folder.
  3. If you do manual configuration of IPsec SAs and policies (manual keying) I'd recommend iproute2. It uses the more powerful Netlink/XFRM interface and the package is installed by most distributions by default. But usually you'd use automatic keying provided by a userland IKE daemon such as strongSwan, Open/libreswan or racoon (ipsec-tools), that way you don't have to manually install SAs and policies and you get ephemeral encryption/integrity keys established via Diffie-Hellman during IKE. Regular automatic negotiation of new keys, which is called rekeying, is also possible.
  4. setkey is provided by the ipsec-tools package for manual keying, there is no relation to the iproute2 package. With iproute2 you'd use the ip xfrm command to manually configure SAs and policies. Both commands directly interact with the SAD and SPD (see RFC 4301) in the kernel to manually manage IPsec SAs and policies. setkey, like racoon and other BSD-based tools, uses the PF_KEYv2 interface, so it is less powerful than the ip xfrm command. For instance, extended sequence numbers or marks can't be configured with PF_KEYv2 on Linux.

Related

Hide all output from a background process
"Sign in to Chrome" missing; No syncing options in chrome://settings; Chrome: 37.0.2062.102
What is the purpose of the `daemon` group and user on RHEL/CentOS Linux?
Error booting Windows 7 system: "<random name> is compressed / Press Ctrl+Alt+Del to restart"
Convention for file extensions: uppercase or lowercase
how to list current path mode?
Chrome ERR_QUIC_PROTOCOL_ERROR
How to add Google's "I'm Feeling Lucky" Search to firefox?
Average numbers if another column contains a certain substring text in Excel
How to integrate $\exp\left(-ax^2\right)\operatorname{erf}(bx+c)$?
What conditions would make a system of two quadratic equations have one real solution?
How to show $q:H_2(S^1\times S^1)\longrightarrow H_2(S^1\times S^1, S^1\vee S^1)$ is an isomorphism?