strongSwan

= An XML based management protocol for strongSwan (SMP) =

We are developing a flexible configuration interface based non XML. It is based on a the diploma thesis of Andreas Eigenmann and Joël Stillhart. The protocol is called SMP. It needs some changes, as the hole configuration management of the daemon has changed in the meantime.

== Overview ==

The currently implemented communication interface to [wiki:charon] is called stroke. It's a simple protocol with it's own binary format. Only the input format is specified, output is redirected to the console.

While this protocol is usable for console applications (ipsec/starter), we need a better protocol to get feedback for an operation, query the status of the daemon, ...

== Requirements ==

  * Querying

    * IKE_SA list

    * Daemon status

    * ...

  * Control

    * initiate connection

    * terminate connection

    * ...

  * Get notifications

    * client connected

    * client connect attempt failed

    * ...

== Protocol ==

To get an universal usable and easy to implement protocol, SMP is based on a XML. We use [http://www.relaxng.org Relax-NG] schemas for validation, as they are more powerful than DTD, but simpler than XML schema.

=== Connectivity ===

SMP uses a reliable protocol. We implement the protocol over a Unix socket for the first try, TCP connections are targeted for a later release (see security).

=== Security ===

We do not implement any security (encryption/authentication) in the first iteration. We will operate on a Unix socket, we enforce security with file permissions. Further development iterations will support for remote administration (over TCP), and then we need authentication, encryption and integrity checks.

The proposed XML-Security like approach proposed in the diploma thesis suffers from replay attack detection. Futher, using the asymmetric approach for each message may be to expensive.

If we implement a more complex notification mechanism, we need to register anyway at connection setup. We could agree on encryption and compression algorithm and exchange a key in this registration process.

=== Message format ===

The root element of an exchanged element is the ''<message>'' element. A message has a ''type'' attribute of either ''request'', ''response'' or ''notification''. To protect messages against replay attacks, each message as an ''id'' attribute, which in unique and incremental for each request/response pair. Notifications use their own counter for for message ids, as they appear asynchronously.

Messages of ''type'' ''request'' and ''response'' contain one or more of the elements ''query'' and ''control''.

=== Schema ===

The complete schema is available at [source:trunk/src/charon/control/interfaces/xml_interface.xml] (draft).

=== Query Operations ===

  * [wiki:SMPQueryIKESA Query a list of IKE_SAs]

  * ...

The status of all IKE_SAs can be queried by sending a message of type ''request'' including a query