strongSwan

h1. = An XML based management protocol for strongSwan (SMP)

=

We are developing a flexible XML-based configuration interface. It uses the *SMP* '''SMP''' protocol developed by Andreas Eigenmann and Joël Stillhart as part of their diploma thesis.

h2.

== Overview

==
The currently implemented communication interface to [[charon]] [wiki:charon] is called stroke. It's a simple protocol with it's own binary format. Only the input format is specified, output is redirected to the console.

While this protocol is usable for console applications (ipsec/starter), we need a better protocol to get feedback for an operation, query the status of the daemon, ...

h2.

== Requirements

** ==
* Querying
****
* IKE_SA list
****
* Daemon status
****
* ...
**
* Control
****
* initiate connection
****
* terminate connection
****
* ...
**
* Get notifications
****
* client connected
****
* client connect attempt failed
****
* ...

h2.

== Protocol

==
To get an universal usable and easy to implement protocol, SMP is based on a XML. We use "Relax-NG":http://www.relaxng.org [http://www.relaxng.org Relax-NG] schemas for validation, as they are more powerful than DTD, but simpler than XML schema.

h3.

=== Connectivity

===
SMP uses a reliable protocol. We implement the protocol over a Unix socket for the first try, TCP connections are targeted for a later release (see security).

h3.

=== Security

===
We do not implement any security (encryption/authentication) in the first iteration. We will operate on a Unix socket, we enforce security with file permissions. Further development iterations will support for remote administration (over TCP), and then we need authentication, encryption and integrity checks.

The proposed XML-Security like approach proposed in the diploma thesis suffers from replay attack detection. Futher, using the asymmetric approach for each message may be to expensive.

If we implement a more complex notification mechanism, we need to register anyway at connection setup. We could agree on encryption and compression algorithm and exchange a key in this registration process.

h3.

=== Message format

===
The root element of an exchanged element is the _<message>_ ''<message>'' element. A message has a _type_ ''type'' attribute of either _request_, _response_ ''request'', ''response'' or _notification_. ''notification''. To protect messages against replay attacks, each message as an _id_ ''id'' attribute, which in unique and incremental for each request/response pair. Notifications use their own counter for for message ids, as they appear asynchronously.

Messages of _type_ _request_ ''type'' ''request'' and _response_ ''response'' contain one or more of the elements _query_ ''query'' and _control_.

h3. ''control''.

=== Schema

===
The complete schema is available at [source:trunk/src/charon/plugins/smp/schema.xml] (draft).

h3.

=== Query Operations

** [[SMPQueryIKESA|Query ===
* [wiki:SMPQueryIKESA Query a list of IKE_SAs]]
** IKE_SAs]
* ...
The status of all IKE_SAs can be queried by sending a message of type _request_ ''request'' including a query