Project

General

Profile

IKE keying daemon charon » History » Version 3

Martin Willi, 08.07.2007 14:48
Capitalized captions

1 1 Martin Willi
= IKEv2 keying daemon charon =
2 1 Martin Willi
3 2 Martin Willi
== Overview ==
4 1 Martin Willi
The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan. 
5 1 Martin Willi
6 1 Martin Willi
== Architecture ==
7 1 Martin Willi
''charon'' has a fully multi-threaded design to meet todays requirements.
8 1 Martin Willi
It is built modular and is extensible through plugins.
9 1 Martin Willi
10 1 Martin Willi
{{{
11 1 Martin Willi
      +--------+   +-------+   +--------+       +-----------+    +-----------+
12 1 Martin Willi
      | Stroke |   |  XML  |   |  DBUS  |       |   Local   |    |   SQLite  |
13 1 Martin Willi
      +--------+   +-------+   +--------+       +-----------+    +-----------+
14 1 Martin Willi
          |            |           |                  |                |
15 1 Martin Willi
      +---------------------------------+       +----------------------------+
16 1 Martin Willi
      |             Interfaces          |       |          Backends          |
17 1 Martin Willi
      +---------------------------------+       +----------------------------+  
18 1 Martin Willi
                                                                              
19 1 Martin Willi
                                                                                
20 1 Martin Willi
       +------------+    +-----------+        +------+            +----------+
21 1 Martin Willi
       |  receiver  |    |           |        |      |  +------+  | CHILD_SA |
22 1 Martin Willi
       +----+-------+    | Scheduler |        | IKE- |  | IKE- |--+----------+
23 1 Martin Willi
            |            |           |        | SA   |--| SA   |  | CHILD_SA |
24 1 Martin Willi
    +-------+--+         +-----------+        |      |  +------+  +----------+
25 1 Martin Willi
 <->|  socket  |               |              | Man- |
26 1 Martin Willi
    +-------+--+         +-----------+        | ager |  +------+  +----------+
27 1 Martin Willi
            |            |           |        |      |  | IKE- |--| CHILD_SA |
28 1 Martin Willi
       +----+-------+    | Processor |--------|      |--| SA   |  +----------+
29 1 Martin Willi
       |   sender   |    |           |        |      |  +------+                  
30 1 Martin Willi
       +------------+    +-----------+        +------+                   
31 1 Martin Willi
                                                                                 
32 1 Martin Willi
                                                                                
33 1 Martin Willi
      +---------------------------------+       +----------------------------+
34 1 Martin Willi
      |               Bus               |       |      Kernel Interface      |
35 1 Martin Willi
      +---------------------------------+       +----------------------------+                                                                 
36 1 Martin Willi
             |                    |                           |
37 1 Martin Willi
      +-------------+     +-------------+                     V
38 1 Martin Willi
      | File-Logger |     |  Sys-Logger |                  //////
39 1 Martin Willi
      +-------------+     +-------------+                       
40 1 Martin Willi
}}}
41 1 Martin Willi
42 3 Martin Willi
=== Processor ===
43 1 Martin Willi
The threading is realized with the help of a thread pool (called processor), 
44 1 Martin Willi
which contains a fixed amount of precreated threads. All threads in the
45 1 Martin Willi
daemon originate from the processor. To delegate work to a thread, jobs are
46 1 Martin Willi
queued to the processor for asynchronous execution.
47 1 Martin Willi
48 3 Martin Willi
=== Scheduler ===
49 1 Martin Willi
The scheduler is responsible to execute timed events. Jobs may be queued to 
50 1 Martin Willi
the scheduler to get executed at a defined time (e.g. rekeying). The scheduler
51 1 Martin Willi
does not execute the jobs itself, it queues them to the processor.
52 1 Martin Willi
53 3 Martin Willi
=== IKE_SA Manager ===
54 1 Martin Willi
The IKE_SA manager managers all IKE_SA. It further handles the synchronization:
55 1 Martin Willi
Each IKE_SA must be checked out strictly and checked in again after use. The 
56 1 Martin Willi
manager guarantees that only one thread may check out a single IKE_SA. This allows
57 1 Martin Willi
us to write the (complex) IKE_SAs routines non-threadsave.
58 1 Martin Willi
59 1 Martin Willi
=== IKE_SA ===
60 1 Martin Willi
The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.
61 1 Martin Willi
62 1 Martin Willi
=== CHILD_SA ===
63 1 Martin Willi
The CHILD_SA contains state about a IPsec security association and manages them. 
64 1 Martin Willi
An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place
65 1 Martin Willi
here through the kernel interface.
66 1 Martin Willi
67 3 Martin Willi
=== Kernel Interface ===
68 1 Martin Willi
The kernel interface installs IPsec security associations, policies routes and 
69 1 Martin Willi
virtual addresses. It further provides methods to enumerate interfaces and may notify
70 1 Martin Willi
the daemon about state changes at lower layers.
71 1 Martin Willi
72 1 Martin Willi
=== Bus ===
73 1 Martin Willi
The bus receives signals from the different threads and relais them to interested 
74 1 Martin Willi
listeners. Debugging signals, but also important state changes or error messages are
75 1 Martin Willi
sent over the bus. 
76 1 Martin Willi
It's listeners are not only for logging, but also to track the state of an IKE_SA.
77 1 Martin Willi
78 1 Martin Willi
=== File-Logger and Sys-Logger ===
79 1 Martin Willi
These bus listeners are long-time registered and log messages sent to the bus to a file
80 1 Martin Willi
or the syslog. They filter the huge amount of messages to a defined loglevel.
81 1 Martin Willi
82 1 Martin Willi
=== Interfaces ===
83 1 Martin Willi
The interface manager loads pluggable controlling interfaces. These are written to control
84 1 Martin Willi
the daemon from external inputs (e.g. initiate IKE_SA, close IKE_SA, ...). The interface
85 1 Martin Willi
manager further provides a simple API to establish these tasks.
86 1 Martin Willi
87 1 Martin Willi
=== Backends ===
88 1 Martin Willi
Backends are pluggable modules which provide configuration. They have to implement an API
89 1 Martin Willi
which the daemon core uses to get configuration.