[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Help - IPSEC beginner
hi all,
as a part of my Masters, i am developing the IPSec code - ground up.
well, as it stands, i am very new to IPSec, and have just managed to go
through the RFC 2401. My project is for 2.5 months from now. i know that
this is too short a time to do anything much in IPSec, but, i've got
this plan: at the end of the 2.5 months period, i'll have these:
1. SPD and SAD interface code:
1. Code that reads packet headers
2. Queries SPD entries
3. Queries/Adds SAD entries
2. AH and ESP
1. As of now, i propose using a simple form of encryption, or use
any freely available encyption code. (I am not working for
compatibility with other systems)
2. No support for nested SAs (or can i support them in the given
period?)
3. Support only for transport mode.
4. IPV4 assumed.
5. Auditing: Not fullfledged
3. IKE
1. Manual. Very simple methods
4. Test program
1. Write a small program that tests. Help needed later.
I am not sure whether i have the right decisions done here. probably,
experts in this list could coment on my plans. i am going to implement
this on the XKernel - a protocol framework from university of Arizona.
As of now, i have gone through the XKernel architecture, and fully well
understand the details involved in implementing a new protocol. My
problem is mainly with the protocol itself - IPSec (or, may i say - a
collection of smaller protocols?)
I would greatly appreciate help from people in these lists. To begin
with, i have not yet decided the data structures, etc. that i will be
having in the code. i am reading the freeswan code too, but, since my
platform is XKernel, i do not quiet think that freeswan way of creating
an IPSec vitual interface, and then having SAD in proc filesystem would
work.
Here are some basic doubts:
1. SPD is a static database. I am proposing to have it in the form of
a flat file. The file format would be something like this (for each
entry):
[ENTRY]
dstaddr=<Destination Address>
srcaddr=<Source Address>
name=<User name or Fully Qualified Domain Name or OPAQUE>
sensitivity=<FUTURE. Ignored now>
tlp=<Transport Layer Protocol or OPAQUE>
dstport=<Destination Port or OPAQUE>
srcport=<Source Port or OPAQUE>
action=<DISCARD or BYPASS or PROCESS>
sas=<List of SAIDs with space between each>
how=<PACKET or SPD>
In my initalisation code, i'll read these entries in the in-core
memory. i guess there should be two such files - one for
INBOUND packets and one for OUBOUND packets.
Please coment on this way of having the SPD
1. SAD: I am not very sure - is this a static database? I my opinion,
the administrator has a startup SAD created. I am proposing to have
a similar file structure (as above) for SAD too.
The reason for having a doubt of whether the SAD is static or
dynamic springs from the fact that the oubound processing _creates_
a new SA if an SA does not already exist to satisfy the selected
SPD entry. (Please coment)
Secondly, when an incoming packet arrives, accordinf to the RFC, if
an SA does not already exist (seen from the IP Dest
addr/Proto/SPI), the packet is _dropped_. If this should not
happen, admin can (or, can he?) create a startup SAD as said above.
(Please coment)
Should SAD also be separate for inbound and outbound packets?
2. For XKernel experts: Do i need to write a socket interface for
writing my test program? i've seen that XKernel has a socket
interface called XKSocket, that is specifically written for Mac. I
am using Linux.
If this is a laborious task, i propose writing an ipsectest
protocol, just as many other such tests written as a part of
Xkernel. Which, in your opinions is the best?
Once i start, i propose giving a regular update on what i have done, so
that my progress is helped by you. Awaiting a reply. I will be writing
about my data structures, and coding styles later.
Thanking you,
arvind.
Follow-Ups: