IPsec in the Linux Kernel
I have some issues (questions) related tot the Linux Kernel implementation of IPsec and it's user-space interface.
- The biggest question is which is the actual official project for the Linux Kernel IPsec implementation? From what I understood the implementation is a fork of the Kame project, but a friend said that this is not true. Which are their official website and repo ?
- Where in the Kernel Documentation source do I find some related notes?
- Which user-space frontend is it mostly used? ip-tools or the iproute2 package? Do these two have the same approach, or one of them has a bigger overhead?
- From what I've seen, tutorials for iproute2 IPsec transport mode relate to the "setkey" utility for loading the config file. Is "setkey" actually used for the iproute2 package, or I've been mislead ? Is "setkey" glued to "racoon" from ip-tools, or it's a general application for config loading? What does "setkey" actually do (I'm very confused about this) ?
- The IPsec stack integrated in the Linux kernel since 2.6 (NETKEY) was originally based on the KAME stack (at least in regards to the API). The source code is part of the kernel repository, where the main components are found in the
net/xfrm
folder, including the implementation of the Netlink/XFRM configuration interface. The alternative and standardized (but somewhat extended) PF_KEYv2 interface implementation is located in thenet/key
folder. - There is not much documentation. But check the
Documentation/networking
folder. - If you do manual configuration of IPsec SAs and policies (manual keying) I'd recommend iproute2. It uses the more powerful Netlink/XFRM interface and the package is installed by most distributions by default. But usually you'd use automatic keying provided by a userland IKE daemon such as strongSwan, Open/libreswan or racoon (ipsec-tools), that way you don't have to manually install SAs and policies and you get ephemeral encryption/integrity keys established via Diffie-Hellman during IKE. Regular automatic negotiation of new keys, which is called rekeying, is also possible.
-
setkey
is provided by the ipsec-tools package for manual keying, there is no relation to the iproute2 package. With iproute2 you'd use theip xfrm
command to manually configure SAs and policies. Both commands directly interact with the SAD and SPD (see RFC 4301) in the kernel to manually manage IPsec SAs and policies.setkey
, likeracoon
and other BSD-based tools, uses the PF_KEYv2 interface, so it is less powerful than theip xfrm
command. For instance, extended sequence numbers or marks can't be configured with PF_KEYv2 on Linux.