untitled

Size: px

Start display at page:

Download "untitled"

わんどわにべ
5 years ago
Views:

1 Linux IPv6 xfrm (USAGI ) Java Linux ( ) 2001 USAGI IPsec Linux-2.4 IPsec Linux-2.5 IPsec IPv6 2 1

2 Topics IPsec Linux Linux xfrm 3 1. RFC

3 IPsec 5 IPsec IP IP (connection less) ( ) 6 3

4 IPsec RFC4301 RFC2401 IPsec RFC4302 RFC2402 AH (Authentication Header) RFC4303 RFC2403 ESP (Encapsulation Payload) RFC4304 ESN (Extended Sequence Number) RFC4305 Algorithm Requirement RFC4306 IKEv2 ( ) 7 AH ESP Authentication Header (AH) IP Encapsulation Payload (ESP) IP IP Payload AH ESP 8 4

5 IPsec Security Policy (AH,ESP) Security Association (IPsec SA) SPD, SAD Security Policy, Security Association IPsec SA 9 IPsec (outbound) IKE SP ( ) SA SPD SP IPsec IP SAD IPsec SA IPsec SA ( ) 10 5

6 IPsec (inbound) SA SP ( ) SPD SP IPsec IP SAD IPsec SA IPsec SA ( ) 11 Linux 12 6

7 (Linux) RFC API 13 Linux 2.4,2.5 ( ) -rc1 -rcx (release candidate) linux-2.6.x.y:-stable 14 7

8 Linux Network Stack ML : : linux-crypto@vger.kernel.org : Netdev (linux-net ) ( ) [RFC] 15 #ifdef netlink better ( ) smp 16 8

9 Singned-off-by (Developers Certificate of Origin 1.1) RFC2646 Thunderbird patch copy and paste hit and away 17 Linux 18 9

10 ( ) 19 struct param; struct protocol { int (*receive)(struct param *p); }; int ipv6_receive(struct param *); struct protocol ipv6_cb; int init(){ ipv6_cb.receive = ipv6_receive; register_protocol(ipv6, &ipv6_cb); } 20 10

11 (UDP ) udpv6_sendmsg : udp ip6_sk_dst_lookup : ip6_append_data : udp_v6_push_pending_frames: ip6_push_pending_frames : IPv6 dst_output : ip6_output : IPv6 dev_queue_xmit : 21 (UDP ) sock_queue_rcv : udpv6_rcv : ip6_input : ip6_route_input : ip6_rcv : IPv6 hop-by-hop netif_receive_skb : NET_RX_SOFTIRQ->net_rx_action netif_rx_schedule 22 11

12 3 routing table + netdevice ( ) netfilter ( ) xfrm ( ) 2 outbound 23 xfrm xfrm_policy IPsec xfrm_state IPsec SA xfrm_tmpl xfrm_policy xfrm_state xfrm_selector xfrm_policy xfrm_state 24 12

13 xfrm udpv6_sendmsg ip6_sk_dst_lookup xfrm_lookup : ip6_append_data udp_v6_push_pending_frames ip6_push_pending_frames dst_output xfrm6_output esp6_output : ip6_output dev_queue_xmit 25 xfrm_lookup xfrm_policy xfrm_policy_lookup xfrm_policy flow_cache IPsec xfrm_find_bundle xfrm_policy dst_entry ( xfrm_bundle_create ) xfrm_temple_resolve 26 13

14 xfrm_tmpl_resolve xfrm_policy xfrm_tmpl xfrm_state xfrm_state xfrm_state (SADB_ACQUIRE ) xfrm_tmpl_resolve EAGAIN xfrm_lookup schedule() process 27 xfrm_bundle_create xfrm_bundle_create xfrm_tmpl_resolve dst_entry _buff dst_entry _buff dst_entry route path xfrm child dst_entry xfrm route child dst_entry xfrm _state xfrm _state 28 14

15 xfrm_bundle_create (cont) xfrm_bundle_create xfrm_tmpl_resolve dst_entry _buff dst_entry tunnel _buff dst_entry xfrm route child dst_entry xfrm dst_entry route child xfrm _state xfrm _state path dst_entry 29 ip6 _append _data ( ) sk_buff (IPv6,ESP ) MSG_MORE MTU MSG_MORE MTU 30 15

16 sk _buff alloc_skb sk_buff skb_sh_info sk_buff _buff skb ->head skb->data skb->tail skb->end end skb_sh_info skb _frags _buff _buff skb_shinfo 31 ip6 _append _data IPv6 ESP ESP ( ) IPv6 Frag ESP IPv6 Frag ESP 32 16

17 ip6_push_pending_frams IPv6 ESP ESP ( ) IPv6 Frag ESP IPv6 Frag 33 dst_output xfrm6_output _buff dst_entry xfrm route child dst_entry xfrm route child dst_entry xfrm _state xfrm _state 34 17

18 xfrm sock_queue_rcv xfrm_policy_check : udpv6_rcv xfrm6_input esp6_input : ip6_input ip6_route_input ipv6_rcv netif_receive_skb NET_RX_SOFTIRQ->net_rx_action netif_rx_schedule 35 xfrm6_input AH, ESP, IPCOMP xfrm_state netif_rx xfrm_state sk_buff sec_path xfrm_policy_check 36 18

19 xfrm_policy_check xfrm_policy xfrm_tmpl sk_buff sec_path 37 ML 38 19

20 Linux 39 Linux 40 20

21 xfrm 41 21

template.dvi

template.dvi XIV PW I D E P R O J E C T 14 FQDN 1 KINK KINK Kerberos Kerberos IPsec FQDN IKE IETF IPsec WG IKE kink/fqdn@realm Internet Key Exchange version 2IKEv2 FQDN IPsec IP Kerberos Kerberized Internet Nego-