Project

General

Profile

IKE keying daemon charon » History » Version 15

Martin Willi, 05.05.2009 15:11
fixed tables converted from trac

1 14 Tobias Brunner
h1. IKEv2 keying daemon charon
2 14 Tobias Brunner
3 14 Tobias Brunner
The _charon_ keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan. 
4 1 Martin Willi
It has a fully multi-threaded design to meet todays requirements.
5 1 Martin Willi
6 14 Tobias Brunner
h2. Architecture
7 14 Tobias Brunner
8 1 Martin Willi
<pre>
9 1 Martin Willi
      +---------------------------------+       +----------------------------+
10 14 Tobias Brunner
      |          Credentials            |       |          Backends          |
11 15 Martin Willi
      +---------------------------------+       +----------------------------+
12 15 Martin Willi
13 1 Martin Willi
       +------------+    +-----------+        +------+            +----------+
14 1 Martin Willi
       |  receiver  |    |           |        |      |  +------+  | CHILD_SA |
15 1 Martin Willi
       +----+-------+    | Scheduler |        | IKE- |  | IKE- |--+----------+
16 1 Martin Willi
            |            |           |        | SA   |--| SA   |  | CHILD_SA |
17 1 Martin Willi
    +-------+--+         +-----------+        |      |  +------+  +----------+
18 1 Martin Willi
 <->|  socket  |               |              | Man- |
19 1 Martin Willi
    +-------+--+         +-----------+        | ager |  +------+  +----------+
20 1 Martin Willi
            |            |           |        |      |  | IKE- |--| CHILD_SA |
21 1 Martin Willi
       +----+-------+    | Processor |--------|      |--| SA   |  +----------+
22 15 Martin Willi
       |   sender   |    |           |        |      |  +------+
23 15 Martin Willi
       +------------+    +-----------+        +------+
24 15 Martin Willi
25 1 Martin Willi
      +---------------------------------+       +----------------------------+
26 1 Martin Willi
      |               Bus               |       |      Kernel Interface      |
27 15 Martin Willi
      +---------------------------------+       +----------------------------+
28 1 Martin Willi
             |                    |                           |
29 1 Martin Willi
      +-------------+     +-------------+                     V
30 1 Martin Willi
      | File-Logger |     |  Sys-Logger |                  //////
31 15 Martin Willi
      +-------------+     +-------------+
32 7 Martin Willi
</pre>
33 7 Martin Willi
34 13 Tobias Brunner
35 15 Martin Willi
|Processor        |The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.|
36 15 Martin Willi
|Scheduler        |The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.|
37 15 Martin Willi
|IKE_SA Manager   |The IKE_SA manager manages all IKE_SAs. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.|
38 15 Martin Willi
|IKE_SA           |The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.|
39 15 Martin Willi
|CHILD_SA         |The CHILD_SA contains state about an IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.|
40 15 Martin Willi
|Kernel Interface |The kernel interface installs IPsec security associations, policies, routes and virtual addresses. It further provides methods to enumerate interfaces and may notify the daemon about state changes at lower layers.|
41 15 Martin Willi
|Bus              |The bus receives signals from the different threads and relays them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.|
42 15 Martin Willi
|Controller       |The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).|
43 15 Martin Willi
|Backends         |Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration.|
44 15 Martin Willi
|Credentials      |Provides trustchain verification and credential serving using registered plugins.|
45 14 Tobias Brunner
46 14 Tobias Brunner
h2. Plugins
47 14 Tobias Brunner
48 15 Martin Willi
The daemon loads plugins at startup. These implement the plugin_t interface (source:src/libstrongswan/plugins/plugin.h). Each plugin registers itself at the daemon to hook in functionality. 
49 1 Martin Willi
50 14 Tobias Brunner
<pre>
51 4 Martin Willi
  +-------------------------------------+
52 1 Martin Willi
  | charon                  +---+ +-----+------+
53 1 Martin Willi
  |                         |   | |   stroke   |
54 1 Martin Willi
  |                         |   | +-----+------+
55 1 Martin Willi
  | +-------------+         |   | +-----+------+
56 1 Martin Willi
  | | bus         |  ---->  | p | |    smp     |
57 1 Martin Willi
  | +-------------+         | l | +-----+------+
58 4 Martin Willi
  | +-------------+  <----  | u | +-----+------+
59 4 Martin Willi
  | | controller  |         | g | |    sql     |
60 4 Martin Willi
  | +-------------+  ---->  | i | +-----+------+
61 4 Martin Willi
  | +-------------+         | n | +-----+------+
62 4 Martin Willi
  | | credentials |  <----  |   | |  eap_aka   |
63 4 Martin Willi
  | +-------------+         | l | +-----+------+
64 4 Martin Willi
  | +-------------+  ---->  | o | +-----+------+
65 4 Martin Willi
  | | backends    |         | a | |  eap_sim   |
66 4 Martin Willi
  | +-------------+  <----  | d | +-----+------+
67 1 Martin Willi
  | +-------------+         | e | +-----+------+
68 1 Martin Willi
  | | eap         |  ---->  | r | |  eap_md5   |
69 1 Martin Willi
  | +-------------+         |   | +-----+------+
70 4 Martin Willi
  |                         |   | +-----+------+
71 4 Martin Willi
  |                         |   | |eap_identity|
72 4 Martin Willi
  |                         +---+ +-----+------+
73 4 Martin Willi
  +-------------------------------------+
74 1 Martin Willi
</pre>
75 14 Tobias Brunner
76 15 Martin Willi
There is a growing list of available plugins (see source:src/charon/plugins):
77 15 Martin Willi
78 15 Martin Willi
|stroke       |The stroke plugin loads credentials from _/etc/ipsec.d_, reads _ipsec.secrets_ and accepts configurations and control commands from ipsec starter.|
79 15 Martin Willi
|smp          |The smp plugin implements the [[SMP]] protocol to control and query the daemon using an XML interface.|
80 15 Martin Willi
|sql          |The sql plugin provides credentials and configurations from a relational database, see [[SQL]].|
81 15 Martin Willi
|eap_aka      |Implements the AKA EAP module implemented completely in software.|
82 15 Martin Willi
|eap_sim      |Implements the SIM EAP module using either a triplet file or a third party card reader library.|
83 15 Martin Willi
|eap_md5      |Implements the MD5 EAP module (CHAP).|
84 15 Martin Willi
|eap_gtc      |Implements a GTC EAP module to use for PAM authentication.|
85 15 Martin Willi
|eap_identity |EAP helper module to serve an Identity over EAP before doing EAP authentication.|
86 15 Martin Willi
|load_tester  |Run [[LoadTests]] against self or a remote host.|
87 15 Martin Willi
|medcli       |Reads mediation/mediated connections for a client from a simple database.|
88 15 Martin Willi
|medsrv       |Reads mediation connections for a mediation server from a simple database.|
89 15 Martin Willi
|nm           |NetworkManager configuration and control interface.|
90 15 Martin Willi
|uci          |OpenWRT UCI configuration backend.|
91 15 Martin Willi
|unit_tester  |Simple unit testing framework for charon and libstrongswan.|