IKE keying daemon charon » History » Version 6
= IKEv2 keying daemon charon =
The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan.
It has a fully multi-threaded design to meet todays requirements.
| Credentials | | Backends |
| receiver | | | | | | CHILD_SA |
-------+ | Scheduler | | IKE- | | IKE- |--+----------+ | | | | SA |--| SA | | CHILD_SA |
--+ | |
<->| socket | | | Man- |
--+ | ager | | | | | | | IKE- |--| CHILD_SA |
-------+ | Processor |--------| |--| SA | | sender | | | | |
| Bus | | Kernel Interface |
| | |
V | File-Logger | | Sys-Logger | //////
||'''Processor'''||The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.|| ||'''Scheduler'''||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.|| ||'''IKE_SA Manager'''||The IKE_SA manager managers all IKE_SA. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.|| ||'''IKE_SA'''||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.|| ||'''CHILD_SA'''||The CHILD_SA contains state about a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.|| ||'''Kernel Interface'''||The kernel interface installs IPsec security associations, policies routes and virtual addresses. It further provides methods to numerate interfaces and may notify the daemon about state changes at lower layers. || ||'''Bus'''||The bus receives signals from the different threads and relais them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.|| ||'''Controller'''||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).|| ||'''Backends'''||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration.Plugins
The daemon loads plugins at startup. These implement the [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality.
| charon ------+ | | | | stroke | | | | ------+ | | | ------+ | | bus | ----> | p | | smp | | | l | ------+ | <---- | u | ------+ | | controller | | g | | sql | | ----> | i | ------+ | | n | ------+ | | credentials | <---- | | | eap_aka | | | l | ------+ | ----> | o | ------+ | | backends | | a | | eap_sim | | <---- | d | ------+ | | e | ------+ | | eap | ----> | r | | eap_md5 | | | | ------+ | | | ------+ | | | |eap_identity| | ------+
|[browser:trunk/src/charon/plugins/stroke stroke]||The stroke plugin loads credentials from ''/etc/ipsec.d'', reads ''ipsec.secrets'' and accepts configurations and control commands from ipsec starter.|
|[browser:trunk/src/charon/plugins/smp smp]||The smp plugin implements the [wiki:SMP] protocol to control and query the daemon using an XML interface.|
|[browser:trunk/src/charon/plugins/sql sql]||The sql plugin provides credentials and configurations from a relational database, see [wiki:SQL].|
|[browser:trunk/src/charon/plugins/eap_aka eap_aka]||Implements the AKA EAP module implemented completely in software.|
|[browser:trunk/src/charon/plugins/eap_sim eap_sim]||Implements the SIM EAP module using either a triplet file or a third party card reader library.|
|[browser:trunk/src/charon/plugins/eap_md5 eap_md5]||Implements the MD5 EAP module (CHAP).|
|[browser:trunk/src/charon/plugins/eap_identity eap_identity]||EAP helper module to serve an Identity over EAP before doing EAP authentication.|