IKEv2 keying daemon charon¶

The charon keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It has a fully multi-threaded design to meet todays requirements.

Architecture¶

      +---------------------------------+       +----------------------------+
      |          Credentials            |       |          Backends          |
      +---------------------------------+       +----------------------------+  

       +------------+    +-----------+        +------+            +----------+
       |  receiver  |    |           |        |      |  +------+  | CHILD_SA |
       +----+-------+    | Scheduler |        | IKE- |  | IKE- |--+----------+
            |            |           |        | SA   |--| SA   |  | CHILD_SA |
    +-------+--+         +-----------+        |      |  +------+  +----------+
 <->|  socket  |               |              | Man- |
    +-------+--+         +-----------+        | ager |  +------+  +----------+
            |            |           |        |      |  | IKE- |--| CHILD_SA |
       +----+-------+    | Processor |--------|      |--| SA   |  +----------+
       |   sender   |    |           |        |      |  +------+                  
       +------------+    +-----------+        +------+                   

      +---------------------------------+       +----------------------------+
      |               Bus               |       |      Kernel Interface      |
      +---------------------------------+       +----------------------------+                                                                 
             |                    |                           |
      +-------------+     +-------------+                     V
      | File-Logger |     |  Sys-Logger |                  //////
      +-------------+     +-------------+                       

||[browser:trunk/src/charon/processing/processor.h Processor]||The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.|| ||[browser:trunk/src/charon/processing/scheduler.h Scheduler]||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.|| ||[browser:trunk/src/charon/sa/ike_sa_manager.h IKE_SA Manager]||The IKE_SA manager manages all IKE_SAs. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.|| ||[browser:trunk/src/charon/sa/ike_sa.h IKE_SA]||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.|| ||[browser:trunk/src/charon/sa/child_sa.h CHILD_SA]||The CHILD_SA contains state about an IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.|| ||[browser:trunk/src/charon/kernel/kernel_interface.h Kernel Interface]||The kernel interface installs IPsec security associations, policies, routes and virtual addresses. It further provides methods to enumerate interfaces and may notify the daemon about state changes at lower layers.|| ||[browser:trunk/src/charon/bus/bus.h Bus]||The bus receives signals from the different threads and relays them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.|| ||[browser:trunk/src/charon/control/controller.h Controller]||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).|| ||[browser:trunk/src/charon/config/backend_manager.h Backends]||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration. ||[browser:trunk/src/charon/credentials/credential_manager.h Credentials]||Provides trustchain verification and credential serving using registered plugins.

Plugins¶

The daemon loads plugins at startup. These implement the [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality.

  +-------------------------------------+
  | charon                  +---+ +-----+------+
  |                         |   | |   stroke   |
  |                         |   | +-----+------+
  | +-------------+         |   | +-----+------+
  | | bus         |  ---->  | p | |    smp     |
  | +-------------+         | l | +-----+------+
  | +-------------+  <----  | u | +-----+------+
  | | controller  |         | g | |    sql     |
  | +-------------+  ---->  | i | +-----+------+
  | +-------------+         | n | +-----+------+
  | | credentials |  <----  |   | |  eap_aka   |
  | +-------------+         | l | +-----+------+
  | +-------------+  ---->  | o | +-----+------+
  | | backends    |         | a | |  eap_sim   |
  | +-------------+  <----  | d | +-----+------+
  | +-------------+         | e | +-----+------+
  | | eap         |  ---->  | r | |  eap_md5   |
  | +-------------+         |   | +-----+------+
  |                         |   | +-----+------+
  |                         |   | |eap_identity|
  |                         +---+ +-----+------+
  +-------------------------------------+

There is a growing list of available plugins:

	[browser:trunk/src/charon/plugins/stroke stroke]		The stroke plugin loads credentials from /etc/ipsec.d, reads ipsec.secrets and accepts configurations and control commands from ipsec starter.
	[browser:trunk/src/charon/plugins/smp smp]		The smp plugin implements the SMP protocol to control and query the daemon using an XML interface.
	[browser:trunk/src/charon/plugins/sql sql]		The sql plugin provides credentials and configurations from a relational database, see SQL.
	[browser:trunk/src/charon/plugins/eap_aka eap_aka]		Implements the AKA EAP module implemented completely in software.
	[browser:trunk/src/charon/plugins/eap_sim eap_sim]		Implements the SIM EAP module using either a triplet file or a third party card reader library.
	[browser:trunk/src/charon/plugins/eap_md5 eap_md5]		Implements the MD5 EAP module (CHAP).
	[browser:trunk/src/charon/plugins/eap_gtc eap_gtc]		Implements a GTC EAP module to use for PAM authentication.
	[browser:trunk/src/charon/plugins/eap_identity eap_identity]		EAP helper module to serve an Identity over EAP before doing EAP authentication.
	[browser:trunk/src/charon/plugins/load_tester load_tester]		Run LoadTests against self or a remote host.
	[browser:trunk/src/charon/plugins/medcli medcli]		Reads mediation/mediated connections for a client from a simple database.
	[browser:trunk/src/charon/plugins/medsrv medsrv]		Reads mediation connections for a mediation server from a simple database.
	[browser:trunk/src/charon/plugins/nm nm]		!NetworkManager configuration and control interface.
	[browser:trunk/src/charon/plugins/uci uci]		OpenWRT UCI configuration backend.
	[browser:trunk/src/charon/plugins/unit_tester unit_tester]		Simple unit testing framework for charon and libstrongswan.