Project

General

Profile

IKE keying daemon charon » History » Version 6

Martin Willi, 01.04.2008 10:50

1 1 Martin Willi
= IKEv2 keying daemon charon =
2 1 Martin Willi
3 1 Martin Willi
The ''charon'' keying daemon was built from scratch to implement the IKEv2 protocol for strongSwan. 
4 4 Martin Willi
It has a fully multi-threaded design to meet todays requirements.
5 1 Martin Willi
6 1 Martin Willi
== Architecture ==
7 1 Martin Willi
{{{
8 1 Martin Willi
      +---------------------------------+       +----------------------------+
9 4 Martin Willi
      |          Credentials            |       |          Backends          |
10 1 Martin Willi
      +---------------------------------+       +----------------------------+  
11 1 Martin Willi
                                                                              
12 1 Martin Willi
       +------------+    +-----------+        +------+            +----------+
13 1 Martin Willi
       |  receiver  |    |           |        |      |  +------+  | CHILD_SA |
14 1 Martin Willi
       +----+-------+    | Scheduler |        | IKE- |  | IKE- |--+----------+
15 1 Martin Willi
            |            |           |        | SA   |--| SA   |  | CHILD_SA |
16 1 Martin Willi
    +-------+--+         +-----------+        |      |  +------+  +----------+
17 1 Martin Willi
 <->|  socket  |               |              | Man- |
18 1 Martin Willi
    +-------+--+         +-----------+        | ager |  +------+  +----------+
19 1 Martin Willi
            |            |           |        |      |  | IKE- |--| CHILD_SA |
20 1 Martin Willi
       +----+-------+    | Processor |--------|      |--| SA   |  +----------+
21 1 Martin Willi
       |   sender   |    |           |        |      |  +------+                  
22 1 Martin Willi
       +------------+    +-----------+        +------+                   
23 1 Martin Willi
                                                                                 
24 1 Martin Willi
      +---------------------------------+       +----------------------------+
25 1 Martin Willi
      |               Bus               |       |      Kernel Interface      |
26 1 Martin Willi
      +---------------------------------+       +----------------------------+                                                                 
27 1 Martin Willi
             |                    |                           |
28 1 Martin Willi
      +-------------+     +-------------+                     V
29 1 Martin Willi
      | File-Logger |     |  Sys-Logger |                  //////
30 1 Martin Willi
      +-------------+     +-------------+                       
31 1 Martin Willi
}}}
32 1 Martin Willi
33 1 Martin Willi
34 4 Martin Willi
||'''Processor'''||The threading is realized with the help of a thread pool (called processor), which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution.||
35 4 Martin Willi
||'''Scheduler'''||The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.||
36 4 Martin Willi
||'''IKE_SA Manager'''||The IKE_SA manager managers all IKE_SA. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsave.||
37 4 Martin Willi
||'''IKE_SA'''||The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.||
38 4 Martin Willi
||'''CHILD_SA'''||The CHILD_SA contains state about a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.||
39 4 Martin Willi
||'''Kernel Interface'''||The kernel interface installs IPsec security associations, policies routes and virtual addresses. It further provides methods to numerate interfaces and may notify the daemon about state changes at lower layers. ||
40 5 Martin Willi
||'''Bus'''||The bus receives signals from the different threads and relais them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.||
41 4 Martin Willi
||'''Controller'''||The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, ...).||
42 4 Martin Willi
||'''Backends'''||Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration.
43 1 Martin Willi
44 1 Martin Willi
45 4 Martin Willi
== Plugins ==
46 3 Martin Willi
47 5 Martin Willi
The daemon loads plugins at startup. These implement the [browser:trunk/src/libstrongswan/plugins/plugin.h plugin_t] interface. Each plugin registers itself at the daemon to hook in functionality. 
48 1 Martin Willi
49 4 Martin Willi
{{{
50 4 Martin Willi
  +-------------------------------------+
51 4 Martin Willi
  | charon                  +---+ +-----+------+
52 4 Martin Willi
  |                         |   | |   stroke   |
53 4 Martin Willi
  |                         |   | +-----+------+
54 4 Martin Willi
  | +-------------+         |   | +-----+------+
55 4 Martin Willi
  | | bus         |  ---->  | p | |    smp     |
56 4 Martin Willi
  | +-------------+         | l | +-----+------+
57 4 Martin Willi
  | +-------------+  <----  | u | +-----+------+
58 4 Martin Willi
  | | controller  |         | g | |    sql     |
59 4 Martin Willi
  | +-------------+  ---->  | i | +-----+------+
60 4 Martin Willi
  | +-------------+         | n | +-----+------+
61 4 Martin Willi
  | | credentials |  <----  |   | |  eap_aka   |
62 4 Martin Willi
  | +-------------+         | l | +-----+------+
63 4 Martin Willi
  | +-------------+  ---->  | o | +-----+------+
64 4 Martin Willi
  | | backends    |         | a | |  eap_sim   |
65 4 Martin Willi
  | +-------------+  <----  | d | +-----+------+
66 4 Martin Willi
  | +-------------+         | e | +-----+------+
67 4 Martin Willi
  | | eap         |  ---->  | r | |  eap_md5   |
68 4 Martin Willi
  | +-------------+         |   | +-----+------+
69 4 Martin Willi
  |                         |   | +-----+------+
70 4 Martin Willi
  |                         |   | |eap_identity|
71 4 Martin Willi
  |                         +---+ +-----+------+
72 4 Martin Willi
  +-------------------------------------+
73 4 Martin Willi
}}}
74 1 Martin Willi
75 4 Martin Willi
There is a growing list of available plugins:
76 6 Martin Willi
||[browser:trunk/src/charon/plugins/stroke stroke]||The stroke plugin loads credentials from ''/etc/ipsec.d'', reads ''ipsec.secrets'' and accepts configurations and control commands from ipsec starter.||
77 6 Martin Willi
||[browser:trunk/src/charon/plugins/smp smp]||The smp plugin implements the [wiki:SMP] protocol to control and query the daemon using an XML interface.||
78 6 Martin Willi
||[browser:trunk/src/charon/plugins/sql sql]||The sql plugin provides credentials and configurations from a relational database, see [wiki:SQL].||
79 6 Martin Willi
||[browser:trunk/src/charon/plugins/eap_aka eap_aka]||Implements the AKA EAP module implemented completely in software.||
80 6 Martin Willi
||[browser:trunk/src/charon/plugins/eap_sim eap_sim]||Implements the SIM EAP module using either a triplet file or a third party card reader library.||
81 6 Martin Willi
||[browser:trunk/src/charon/plugins/eap_md5 eap_md5]||Implements the MD5 EAP module (CHAP).||
82 6 Martin Willi
||[browser:trunk/src/charon/plugins/eap_identity eap_identity]||EAP helper module to serve an Identity over EAP before doing EAP authentication.||