Project

General

Profile

IKE keying daemon charon » History » Version 15

Version 14 (Tobias Brunner, 20.11.2008 18:00) → Version 15/19 (Martin Willi, 05.05.2009 15:11)


h1. IKEv2 keying daemon charon



The _charon_ keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It has a fully multi-threaded design to meet todays requirements.



h2. Architecture



<pre>

+---------------------------------+ +----------------------------+
| Credentials | | Backends |
+---------------------------------+ +----------------------------+



+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+

+------------+ +-----------+ +------+



+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+

| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+

</pre>

|Processor |The


||[browser:trunk/src/charon/processing/processor.h Processor]||The
threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.| execution.||
|Scheduler |The ||[browser:trunk/src/charon/processing/scheduler.h Scheduler]||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.| processor.||
|IKE_SA Manager |The ||[browser:trunk/src/charon/sa/ike_sa_manager.h IKE_SA Manager]||The IKE_SA manager manages all IKE_SAs. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.| non-threadsave.||
|IKE_SA |The ||[browser:trunk/src/charon/sa/ike_sa.h IKE_SA]||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.| messages.||
|CHILD_SA |The ||[browser:trunk/src/charon/sa/child_sa.h CHILD_SA]||The CHILD_SA contains state about an IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.| interface.||
|Kernel Interface |The ||[browser:trunk/src/charon/kernel/kernel_interface.h Kernel Interface]||The kernel interface installs IPsec security associations, policies, routes and virtual addresses. It further provides methods to enumerate interfaces and may notify the daemon about state changes at lower layers.| layers.||
|Bus |The ||[browser:trunk/src/charon/bus/bus.h Bus]||The bus receives signals from the different threads and relays them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.| bus.||
|Controller |The ||[browser:trunk/src/charon/control/controller.h Controller]||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).| ...).||
|Backends |Backends ||[browser:trunk/src/charon/config/backend_manager.h Backends]||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration.| configuration.
|Credentials |Provides ||[browser:trunk/src/charon/credentials/credential_manager.h Credentials]||Provides trustchain verification and credential serving using registered plugins.|

plugins.

h2. Plugins



The daemon loads plugins at startup. These implement the plugin_t interface (source:src/libstrongswan/plugins/plugin.h). [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality.

<pre>

+-------------------------------------+
| charon +---+ +-----+------+
| | | | stroke |
| | | +-----+------+
| +-------------+ | | +-----+------+
| | bus | ----> | p | | smp |
| +-------------+ | l | +-----+------+
| +-------------+ <---- | u | +-----+------+
| | controller | | g | | sql |
| +-------------+ ----> | i | +-----+------+
| +-------------+ | n | +-----+------+
| | credentials | <---- | | | eap_aka |
| +-------------+ | l | +-----+------+
| +-------------+ ----> | o | +-----+------+
| | backends | | a | | eap_sim |
| +-------------+ <---- | d | +-----+------+
| +-------------+ | e | +-----+------+
| | eap | ----> | r | | eap_md5 |
| +-------------+ | | +-----+------+
| | | +-----+------+
| | | |eap_identity|
| +---+ +-----+------+
+-------------------------------------+
</pre>



There is a growing list of available plugins (see source:src/charon/plugins):

|stroke |The
plugins:
||[browser:trunk/src/charon/plugins/stroke stroke]||The
stroke plugin loads credentials from _/etc/ipsec.d_, reads _ipsec.secrets_ and accepts configurations and control commands from ipsec starter.| starter.||
|smp |The ||[browser:trunk/src/charon/plugins/smp smp]||The smp plugin implements the [[SMP]] protocol to control and query the daemon using an XML interface.| interface.||
|sql |The ||[browser:trunk/src/charon/plugins/sql sql]||The sql plugin provides credentials and configurations from a relational database, see [[SQL]].| [[SQL]].||
|eap_aka |Implements ||[browser:trunk/src/charon/plugins/eap_aka eap_aka]||Implements the AKA EAP module implemented completely in software.| software.||
|eap_sim |Implements ||[browser:trunk/src/charon/plugins/eap_sim eap_sim]||Implements the SIM EAP module using either a triplet file or a third party card reader library.| library.||
|eap_md5 |Implements ||[browser:trunk/src/charon/plugins/eap_md5 eap_md5]||Implements the MD5 EAP module (CHAP).| (CHAP).||
|eap_gtc |Implements ||[browser:trunk/src/charon/plugins/eap_gtc eap_gtc]||Implements a GTC EAP module to use for PAM authentication.| authentication.||
|eap_identity |EAP ||[browser:trunk/src/charon/plugins/eap_identity eap_identity]||EAP helper module to serve an Identity over EAP before doing EAP authentication.| authentication.||
|load_tester |Run ||[browser:trunk/src/charon/plugins/load_tester load_tester]||Run [[LoadTests]] against self or a remote host.| host.||
|medcli |Reads ||[browser:trunk/src/charon/plugins/medcli medcli]||Reads mediation/mediated connections for a client from a simple database.| database.||
|medsrv |Reads ||[browser:trunk/src/charon/plugins/medsrv medsrv]||Reads mediation connections for a mediation server from a simple database.| database.||
|nm |NetworkManager ||[browser:trunk/src/charon/plugins/nm nm]||!NetworkManager configuration and control interface.| interface.||
|uci |OpenWRT ||[browser:trunk/src/charon/plugins/uci uci]||OpenWRT UCI configuration backend.| backend.||
|unit_tester |Simple ||[browser:trunk/src/charon/plugins/unit_tester unit_tester]||Simple unit testing framework for charon and libstrongswan.| libstrongswan.||