IPsec in the Linux Kernel

7

5

I have some issues (questions) related tot the Linux Kernel implementation of IPsec and it's user-space interface.

  1. The biggest question is which is the actual official project for the Linux Kernel IPsec implementation? From what I understood the implementation is a fork of the Kame project, but a friend said that this is not true. Which are their official website and repo ?
  2. Where in the Kernel Documentation source do I find some related notes?
  3. Which user-space frontend is it mostly used? ip-tools or the iproute2 package? Do these two have the same approach, or one of them has a bigger overhead?
  4. From what I've seen, tutorials for iproute2 IPsec transport mode relate to the "setkey" utility for loading the config file. Is "setkey" actually used for the iproute2 package, or I've been mislead ? Is "setkey" glued to "racoon" from ip-tools, or it's a general application for config loading? What does "setkey" actually do (I'm very confused about this) ?

Catalin Vasile

Posted 2014-07-30T06:51:23.147

Reputation: 139

Answers

15

  1. The IPsec stack integrated in the Linux kernel since 2.6 (NETKEY) was originally based on the KAME stack (at least in regards to the API). The source code is part of the kernel repository, where the main components are found in the net/xfrm folder, including the implementation of the Netlink/XFRM configuration interface. The alternative and standardized (but somewhat extended) PF_KEYv2 interface implementation is located in the net/key folder.
  2. There is not much documentation. But check the Documentation/networking folder.
  3. If you do manual configuration of IPsec SAs and policies (manual keying) I'd recommend iproute2. It uses the more powerful Netlink/XFRM interface and the package is installed by most distributions by default. But usually you'd use automatic keying provided by a userland IKE daemon such as strongSwan, Open/libreswan or racoon (ipsec-tools), that way you don't have to manually install SAs and policies and you get ephemeral encryption/integrity keys established via Diffie-Hellman during IKE. Regular automatic negotiation of new keys, which is called rekeying, is also possible.
  4. setkey is provided by the ipsec-tools package for manual keying, there is no relation to the iproute2 package. With iproute2 you'd use the ip xfrm command to manually configure SAs and policies. Both commands directly interact with the SAD and SPD (see RFC 4301) in the kernel to manually manage IPsec SAs and policies. setkey, like racoon and other BSD-based tools, uses the PF_KEYv2 interface, so it is less powerful than the ip xfrm command. For instance, extended sequence numbers or marks can't be configured with PF_KEYv2 on Linux.

ecdsa

Posted 2014-07-30T06:51:23.147

Reputation: 1 043

Asked: 2014-07-30T06:51:23.147

Viewed: 11 447 times

Active: 2015-08-10T09:25:20.043