Ipsec - PF_KEY and set_policy
aditya kiran
adityaa.kiran at gmail.com
Sat Aug 4 16:54:21 UTC 2007
Hi George,
Thanks a lot for the clarification.. Yeah, i was quite confused with
ipsec_set_policy - which has multiple definitions, one which converts the
human readable policy format and another one inside the kernel.. doing a
little bit of code walk through, it looks like the second one is called when
policy is set on the socket..
Thanks,
Adityaa
On 7/27/07, George V. Neville-Neil <gnn at neville-neil.com> wrote:
>
> At Thu, 26 Jul 2007 08:13:02 +0800,
> blue wrote:
> >
> > As far as I know, setkey is used for IPsec SP and SA configuration.
> > ipsec_set_policy() could transfer a string to "policy request", which is
> > defined in RFC 2367 PF_KEY. Internally, setkey() will call
> > ipsec_set_policy() to construct the message then send it down to the
> > kernel. However, ipsec_set_policy() is used only for SP, not SA.
> >
> And expanding on this just a bit, there is a difference between a
> policy (SP) and an association (SA) which is important to understand.
> A policy describes something more general, such as "Between network A
> and network B use an IPSEC ESP tunnel for all traffic." while an
> association is an active communication channel like, "Between address
> A and address B we have a tunnel using ESP with key X." There are two
> databases in the kernel for this, a Security Policy Database which is
> manipulated using the ipsec_set_policy() routing, and a Security
> Association Database which is manipulated using direct calls to PF Key
> sockets.
>
> See RFC 2401 for a good intro to these concepts.
>
> Best,
> George
>
More information about the freebsd-net
mailing list