Project

General

Profile

IKE keying daemon charon » History » Version 4

Version 3 (Martin Willi, 08.07.2007 14:48) → Version 4/19 (Martin Willi, 31.03.2008 17:06)

= IKEv2 keying daemon charon =

== Overview ==
The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It


== Architecture ==
''charon''
has a fully multi-threaded design to meet todays requirements.
It is built modular and is extensible through plugins.


== Architecture ==
{{{
+--------+ +-------+ +--------+ +-----------+ +-----------+
| Stroke | | XML | | DBUS | | Local | | SQLite |
+--------+ +-------+ +--------+ +-----------+ +-----------+
| | | | |
+---------------------------------+ +----------------------------+
| Interfaces Credentials | | Backends |
+---------------------------------+ +----------------------------+




+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+
+------------+ +-----------+ +------+




+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+
| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+
}}}

||'''Processor'''||The


=== Processor ===
The
threading is realized with the help of a thread pool (called processor),
which contains a fixed amount of precreated threads. All threads in the
daemon originate from the processor. To delegate work to a thread, jobs are
queued to the processor for asynchronous execution.|| execution.

=== Scheduler ===

||'''Scheduler'''||The The scheduler is responsible to execute timed events. Jobs may be queued to
the scheduler to get executed at a defined time (e.g. rekeying). The scheduler
does not execute the jobs itself, it queues them to the processor.|| processor.

=== IKE_SA Manager ===

||'''IKE_SA Manager'''||The The IKE_SA manager managers all IKE_SA. It further handles the synchronization:
Each IKE_SA must be checked out strictly and checked in again after use. The
manager guarantees that only one thread may check out a single IKE_SA. This allows
us to write the (complex) IKE_SAs routines non-threadsave.|| non-threadsave.

=== IKE_SA ===

||'''IKE_SA'''||The The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.|| messages.

=== CHILD_SA ===

||'''CHILD_SA'''||The The CHILD_SA contains state about a IPsec security association and manages them.
An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place
here through the kernel interface.|| interface.

=== Kernel Interface ===

||'''Kernel Interface'''||The The kernel interface installs IPsec security associations, policies routes and
virtual addresses. It further provides methods to numerate enumerate interfaces and may notify
the daemon about state changes at lower layers. ||

=== Bus ===

||'''Bus'''||The The bus receives signals from the different threads and relais them to interested
listeners. Debugging signals, but also important state changes OR or error messages are
sent over the bus.|| bus.
It's listeners are not only for logging, but also to track the state of an IKE_SA.

=== File-Logger and Sys-Logger ===

||'''Controller'''||The controller provides These bus listeners are long-time registered and log messages sent to the bus to a simple API for plugins file
or the syslog. They filter the huge amount of messages
to a defined loglevel.

=== Interfaces ===
The interface manager loads pluggable controlling interfaces. These are written to
control
the daemon from external inputs (e.g. initiate IKE_SA, close IKE_SA, ...).|| ...). The interface
||'''Backends'''||Backends manager further provides a simple API to establish these tasks.

=== Backends ===
Backends
are pluggable modules which provide configuration. They have to implement an API
which the daemon core uses to get configuration.

== Plugins ==

The daemon loads plugins at startup. These implement the plugin_t interface. Each plugin registers itself at the daemon to hook in functionality.

{{{
+-------------------------------------+
| charon +---+ +-----+------+
| | | | stroke |
| | | +-----+------+
| +-------------+ | | +-----+------+
| | bus | ----> | p | | smp |
| +-------------+ | l | +-----+------+
| +-------------+ <---- | u | +-----+------+
| | controller | | g | | sql |
| +-------------+ ----> | i | +-----+------+
| +-------------+ | n | +-----+------+
| | credentials | <---- | | | eap_aka |
| +-------------+ | l | +-----+------+
| +-------------+ ----> | o | +-----+------+
| | backends | | a | | eap_sim |
| +-------------+ <---- | d | +-----+------+
| +-------------+ | e | +-----+------+
| | eap | ----> | r | | eap_md5 |
| +-------------+ | | +-----+------+
| | | +-----+------+
| | | |eap_identity|
| +---+ +-----+------+
+-------------------------------------+
}}}

There is a growing list of available plugins:
||'''stroke'''||The stroke plugin loads credentials from ''/etc/ipsec.d'', reads ''ipsec.secrets'' and accepts configurations and control commands from ipsec starter.||
||'''smp'''||The smp plugin implements the [wiki:SMP] protocol to control and query the daemon using an XML interface.||
||'''sql'''||The sql plugin provides credentials and configurations from a relational database, see [wiki:SQL].||
||'''eap_aka'''||Implements the AKA EAP module implemented completely in software.||
||'''eap_sim'''||Implements the SIM EAP module using either a triplet file or a third party card reader library.||
||'''eap_md5'''||Implements the MD5 EAP module (CHAP).||
||'''eap_identity'''||EAP helper module to serve an Identity over EAP before doing EAP authentication.||