IKEv2 keying daemon charon
The charon keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan. It has a fully multi-threaded design to meet todays requirements.
Architecture
+---------------------------------+ +----------------------------+
| Credentials | | Backends |
+---------------------------------+ +----------------------------+
+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+
+------------+ +-----------+ +------+
+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+
| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+
| Processor | The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution. |
| Scheduler | The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor. |
| IKE_SA Manager | The IKE_SA manager managers all IKE_SA. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave. |
| IKE_SA | The IKE_SA contain the state and the logic of each IKE_SA and handle the messages. |
| CHILD_SA | The CHILD_SA contains state about a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface. |
| Kernel Interface | The kernel interface installs IPsec security associations, policies routes and virtual addresses. It further provides methods to numerate interfaces and may notify the daemon about state changes at lower layers. |
| Bus | The bus receives signals from the different threads and relais them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus. |
| Controller | The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...). |
| Backends | Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration. |
| Credentials | Provides trustchain verification and credential serving using registered plugins. |
Plugins
The daemon loads plugins at startup. These implement the plugin_t interface. Each plugin registers itself at the daemon to hook in functionality.
+-------------------------------------+ | charon +---+ +-----+------+ | | | | stroke | | | | +-----+------+ | +-------------+ | | +-----+------+ | | bus | ----> | p | | smp | | +-------------+ | l | +-----+------+ | +-------------+ <---- | u | +-----+------+ | | controller | | g | | sql | | +-------------+ ----> | i | +-----+------+ | +-------------+ | n | +-----+------+ | | credentials | <---- | | | eap_aka | | +-------------+ | l | +-----+------+ | +-------------+ ----> | o | +-----+------+ | | backends | | a | | eap_sim | | +-------------+ <---- | d | +-----+------+ | +-------------+ | e | +-----+------+ | | eap | ----> | r | | eap_md5 | | +-------------+ | | +-----+------+ | | | +-----+------+ | | | |eap_identity| | +---+ +-----+------+ +-------------------------------------+
There is a growing list of available plugins:
| stroke | The stroke plugin loads credentials from /etc/ipsec.d, reads ipsec.secrets and accepts configurations and control commands from ipsec starter. |
| smp | The smp plugin implements the SMP protocol to control and query the daemon using an XML interface. |
| sql | The sql plugin provides credentials and configurations from a relational database, see SQL. |
| eap_aka | Implements the AKA EAP module implemented completely in software. |
| eap_sim | Implements the SIM EAP module using either a triplet file or a third party card reader library. |
| eap_md5 | Implements the MD5 EAP module (CHAP). |
| eap_gtc | Implements a GTC EAP module to use for PAM authentication. |
| eap_identity | EAP helper module to serve an Identity over EAP before doing EAP authentication. |
| medcli | Reads mediation/mediated connections for a client from a simple database. |
| medsrv | Reads mediation connections for a mediation server from a simple database. |
| nm | NetworkManager configuration and control interface. |
| uci | OpenWRT UCI configuration backend. |
| unit_tester | Simple unit testing framework for charon and libstrongswan. |