Project

General

Profile

IKE keying daemon charon » History » Version 13

Version 12 (Martin Willi, 18.11.2008 09:53) → Version 13/19 (Tobias Brunner, 20.11.2008 18:00)

= IKEv2 keying daemon charon =

The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It has a fully multi-threaded design to meet todays requirements.

== Architecture ==
{{{
+---------------------------------+ +----------------------------+
| Credentials | | Backends |
+---------------------------------+ +----------------------------+

+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+
+------------+ +-----------+ +------+

+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+
| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+
}}}

||[browser:trunk/src/charon/processing/processor.h Processor]||The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.||
||[browser:trunk/src/charon/processing/scheduler.h Scheduler]||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.||
||[browser:trunk/src/charon/sa/ike_sa_manager.h IKE_SA Manager]||The IKE_SA manager manages managers all IKE_SAs. IKE_SA. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.||
||[browser:trunk/src/charon/sa/ike_sa.h IKE_SA]||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.||
||[browser:trunk/src/charon/sa/child_sa.h CHILD_SA]||The CHILD_SA contains state about an a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.||
||[browser:trunk/src/charon/kernel/kernel_interface.h Kernel Interface]||The kernel interface installs IPsec security associations, policies, policies routes and virtual addresses. It further provides methods to enumerate numerate interfaces and may notify the daemon about state changes at lower layers.|| layers. ||
||[browser:trunk/src/charon/bus/bus.h Bus]||The bus receives signals from the different threads and relays relais them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.||
||[browser:trunk/src/charon/control/controller.h Controller]||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).||
||[browser:trunk/src/charon/config/backend_manager.h Backends]||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration.
||[browser:trunk/src/charon/credentials/credential_manager.h Credentials]||Provides trustchain verification and credential serving using registered plugins.

== Plugins ==

The daemon loads plugins at startup. These implement the [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality.

{{{
+-------------------------------------+
| charon +---+ +-----+------+
| | | | stroke |
| | | +-----+------+
| +-------------+ | | +-----+------+
| | bus | ----> | p | | smp |
| +-------------+ | l | +-----+------+
| +-------------+ <---- | u | +-----+------+
| | controller | | g | | sql |
| +-------------+ ----> | i | +-----+------+
| +-------------+ | n | +-----+------+
| | credentials | <---- | | | eap_aka |
| +-------------+ | l | +-----+------+
| +-------------+ ----> | o | +-----+------+
| | backends | | a | | eap_sim |
| +-------------+ <---- | d | +-----+------+
| +-------------+ | e | +-----+------+
| | eap | ----> | r | | eap_md5 |
| +-------------+ | | +-----+------+
| | | +-----+------+
| | | |eap_identity|
| +---+ +-----+------+
+-------------------------------------+
}}}

There is a growing list of available plugins:
||[browser:trunk/src/charon/plugins/stroke stroke]||The stroke plugin loads credentials from ''/etc/ipsec.d'', reads ''ipsec.secrets'' and accepts configurations and control commands from ipsec starter.||
||[browser:trunk/src/charon/plugins/smp smp]||The smp plugin implements the [wiki:SMP] protocol to control and query the daemon using an XML interface.||
||[browser:trunk/src/charon/plugins/sql sql]||The sql plugin provides credentials and configurations from a relational database, see [wiki:SQL].||
||[browser:trunk/src/charon/plugins/eap_aka eap_aka]||Implements the AKA EAP module implemented completely in software.||
||[browser:trunk/src/charon/plugins/eap_sim eap_sim]||Implements the SIM EAP module using either a triplet file or a third party card reader library.||
||[browser:trunk/src/charon/plugins/eap_md5 eap_md5]||Implements the MD5 EAP module (CHAP).||
||[browser:trunk/src/charon/plugins/eap_gtc eap_gtc]||Implements a GTC EAP module to use for PAM authentication.||
||[browser:trunk/src/charon/plugins/eap_identity eap_identity]||EAP helper module to serve an Identity over EAP before doing EAP authentication.||
||[browser:trunk/src/charon/plugins/load_tester load_tester]||Run LoadTests against self or a remote host.||
||[browser:trunk/src/charon/plugins/medcli medcli]||Reads mediation/mediated connections for a client from a simple database.||
||[browser:trunk/src/charon/plugins/medsrv medsrv]||Reads mediation connections for a mediation server from a simple database.||
||[browser:trunk/src/charon/plugins/nm nm]||!NetworkManager configuration and control interface.||
||[browser:trunk/src/charon/plugins/uci uci]||OpenWRT UCI configuration backend.||
||[browser:trunk/src/charon/plugins/unit_tester unit_tester]||Simple unit testing framework for charon and libstrongswan.||