IKE keying daemon charon » History » Version 10
« Previous -
Version 10/19
(diff) -
Next » -
Current version
Martin Willi, 20.08.2008 11:00
= IKEv2 keying daemon charon =
The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It has a fully multi-threaded design to meet todays requirements.
<->| socket | | | Man- |
}}}
||[browser:trunk/src/charon/processing/processor.h Processor]||The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.|| ||[browser:trunk/src/charon/processing/scheduler.h Scheduler]||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.|| ||[browser:trunk/src/charon/sa/ike_sa_manager.h IKE_SA Manager]||The IKE_SA manager managers all IKE_SA. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.|| ||[browser:trunk/src/charon/sa/ike_sa.h IKE_SA]||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.|| ||[browser:trunk/src/charon/sa/child_sa.h CHILD_SA]||The CHILD_SA contains state about a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.|| ||[browser:trunk/src/charon/kernel/kernel_interface.h Kernel Interface]||The kernel interface installs IPsec security associations, policies routes and virtual addresses. It further provides methods to numerate interfaces and may notify the daemon about state changes at lower layers. || ||[browser:trunk/src/charon/bus/bus.h Bus]||The bus receives signals from the different threads and relais them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.|| ||[browser:trunk/src/charon/control/controller.h Controller]||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).|| ||[browser:trunk/src/charon/config/backend_manager.h Backends]||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration. ||[browser:trunk/src/charon/credentials/credential_manager.h Credentials]||Provides trustchain verification and credential serving using registered plugins.
PluginsThe daemon loads plugins at startup. These implement the [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality.
{{{
-----------------------------------
| charon -- ----------+
| | | | stroke |
| | | ---------+
| ----------- | | ---------+
| | bus | ----> | p | | smp |
| ----------- | l | ---------+
| ----------- <---- | u | ---------+
| | controller | | g | | sql |
| ----------- ----> | i | ---------+
| ----------- | n | ---------+
| | credentials | <---- | | | eap_aka |
| ----------- | l | ---------+
| ----------- ----> | o | ---------+
| | backends | | a | | eap_sim |
| ----------- <---- | d | ---------+
| ----------- | e | ---------+
| | eap | ----> | r | | eap_md5 |
| ----------- | | ---------+
| | | ---------+
| | | |eap_identity|
| -- ----------+
-----------------------------------
}}}
[browser:trunk/src/charon/plugins/stroke stroke] | The stroke plugin loads credentials from ''/etc/ipsec.d'', reads ''ipsec.secrets'' and accepts configurations and control commands from ipsec starter. | |||
[browser:trunk/src/charon/plugins/smp smp] | The smp plugin implements the [wiki:SMP] protocol to control and query the daemon using an XML interface. | |||
[browser:trunk/src/charon/plugins/sql sql] | The sql plugin provides credentials and configurations from a relational database, see [wiki:SQL]. | |||
[browser:trunk/src/charon/plugins/eap_aka eap_aka] | Implements the AKA EAP module implemented completely in software. | |||
[browser:trunk/src/charon/plugins/eap_sim eap_sim] | Implements the SIM EAP module using either a triplet file or a third party card reader library. | |||
[browser:trunk/src/charon/plugins/eap_md5 eap_md5] | Implements the MD5 EAP module (CHAP). | |||
[browser:trunk/src/charon/plugins/eap_identity eap_identity] | EAP helper module to serve an Identity over EAP before doing EAP authentication. | |||
[browser:trunk/src/charon/plugins/medcli medcli] | Reads mediation/mediated connections for a client from a simple database. | |||
[browser:trunk/src/charon/plugins/medsrv medsrv] | Reads mediation connections for a mediation server from a simple database. | |||
[browser:trunk/src/charon/plugins/nm nm] | !NetworkManager configuration and control interface. | |||
[browser:trunk/src/charon/plugins/uci uci] | OpenWRT UCI configuration backend. | |||
[browser:trunk/src/charon/plugins/unit_tester unit_tester] | Simple unit testing framework for charon and libstrongswan. |