Project

General

Profile

An XML based management protocol for strongSwan (SMP) » History » Version 10

Tobias Brunner, 09.07.2014 16:36

1 7 Martin Willi
h1. An XML based management protocol for strongSwan (SMP)
2 1 Martin Willi
3 1 Martin Willi
4 7 Martin Willi
We are developing a flexible XML-based configuration interface. It uses the *SMP* protocol developed by Andreas Eigenmann and Joël Stillhart as part of their diploma thesis. 
5 7 Martin Willi
6 10 Tobias Brunner
----
7 10 Tobias Brunner
8 10 Tobias Brunner
SMP is deprecated since version:5.2.0 in favor of the [[VICI|Versatile IKE Control Interface (VICI)]].
9 10 Tobias Brunner
10 10 Tobias Brunner
----
11 7 Martin Willi
12 7 Martin Willi
h2. Overview
13 7 Martin Willi
14 7 Martin Willi
The currently implemented communication interface to [[charon]] is called stroke. It's a simple protocol with it's own binary format. Only the input format is specified, output is redirected to the console.
15 7 Martin Willi
16 1 Martin Willi
While this protocol is usable for console applications (ipsec/starter), we need a better protocol to get feedback for an operation, query the status of the daemon, ...
17 1 Martin Willi
18 1 Martin Willi
19 7 Martin Willi
h2. Requirements
20 1 Martin Willi
21 8 Tobias Brunner
* Querying
22 8 Tobias Brunner
** IKE_SA list
23 8 Tobias Brunner
** Daemon status
24 8 Tobias Brunner
** ...
25 8 Tobias Brunner
* Control
26 8 Tobias Brunner
** initiate connection
27 8 Tobias Brunner
** terminate connection
28 8 Tobias Brunner
** ...
29 8 Tobias Brunner
* Get notifications
30 8 Tobias Brunner
** client connected
31 8 Tobias Brunner
** client connect attempt failed
32 8 Tobias Brunner
** ...
33 7 Martin Willi
34 7 Martin Willi
35 7 Martin Willi
h2. Protocol
36 7 Martin Willi
37 7 Martin Willi
To get an universal usable and easy to implement protocol, SMP is based on a XML. We use "Relax-NG":http://www.relaxng.org schemas for validation, as they are more powerful than DTD, but simpler than XML schema.
38 7 Martin Willi
39 7 Martin Willi
40 7 Martin Willi
h3. Connectivity
41 7 Martin Willi
42 1 Martin Willi
SMP uses a reliable protocol. We implement the protocol over a Unix socket for the first try, TCP connections are targeted for a later release (see security).
43 3 Martin Willi
44 7 Martin Willi
45 7 Martin Willi
h3. Security
46 7 Martin Willi
47 1 Martin Willi
We do not implement any security (encryption/authentication) in the first iteration. We will operate on a Unix socket, we enforce security with file permissions. Further development iterations will support for remote administration (over TCP), and then we need authentication, encryption and integrity checks.
48 3 Martin Willi
49 3 Martin Willi
The proposed XML-Security like approach proposed in the diploma thesis suffers from replay attack detection. Futher, using the asymmetric approach for each message may be to expensive.
50 1 Martin Willi
51 3 Martin Willi
If we implement a more complex notification mechanism, we need to register anyway at connection setup. We could agree on encryption and compression algorithm and exchange a key in this registration process.
52 3 Martin Willi
53 3 Martin Willi
54 7 Martin Willi
h3. Message format
55 3 Martin Willi
56 7 Martin Willi
The root element of an exchanged element is the _<message>_ element. A message has a _type_ attribute of either _request_, _response_ or _notification_. To protect messages against replay attacks, each message as an _id_ attribute, which in unique and incremental for each request/response pair. Notifications use their own counter for for message ids, as they appear asynchronously.
57 7 Martin Willi
58 7 Martin Willi
Messages of _type_ _request_ and _response_ contain one or more of the elements _query_ and _control_.
59 7 Martin Willi
60 7 Martin Willi
61 7 Martin Willi
h3. Schema
62 7 Martin Willi
63 9 Tobias Brunner
The complete schema is available at source:src/libcharon/plugins/smp/schema.xml (draft).
64 4 Tobias Brunner
65 7 Martin Willi
66 7 Martin Willi
h3. Query Operations
67 7 Martin Willi
68 7 Martin Willi
** [[SMPQueryIKESA|Query a list of IKE_SAs]]
69 7 Martin Willi
** ...
70 7 Martin Willi
The status of all IKE_SAs can be queried by sending a message of type _request_ including a query