Linux Kernel Network: Implementation and Theory (2014)-Tenth chapter Ipsec__linux

... XFRM FrameworkIPSec is implemented based on the XFRM (read as "transform") framework derived from the Usagi project, which aims to provide a product IPv6 and IPSec protocol stack. The term "transform" refers to forwarding a direction message or a direction message to a kernel protocol stack based on some IPSec rules. The Linux kernel 2.5 introduces the XFRM framework, XFRM is a basic framework for protocol family independence, which means that there is a generic part for IPV4 and IPV6, which is in the net/xfrm. IPv4 and IPV6 have their respective ESP, Ah, and IPCOMP implementations, such as the IPV4 ESP module located in the Net/ipv4/esp4.c,ipv6 ESP module in NET/IPV6/ESP6.C.         In addition, IPV4 and IPV6 have implemented some modules related to their protocols, such as NET/IPV4/XFRM4_POLICY.C or NET/IPV6/XFRM6_POLICY.C, to support the XFRM basic framework. The XFRM framework supports the network namespace, a lightweight process virtualization that allows a single or group of processes to have their own network protocol stacks (the network namespace is discussed in chapter 14th). Each network namespace (an instance of data type struct net) contains a member named Xfrm, which is an instance of the data type struct NETNS_XFRM. This object contains many of the data structures and variables you will encounter in this chapter, such as the XFRM Strategy hash table, the XFRM State hash table, the Sysctl parameter, the XFRM state garbage collector, the counter, and so on.

struct NETNS_XFRM {
        struct hlist_head       *state_bydst;
        struct Hlist_head       *state_bysrc;
        struct Hlist_head       *state_byspi;
        . . .
        unsigned int            state_num;
        . . .
 
        struct work_struct      state_gc_work;
 
        . . .
 
        U32                     sysctl_aevent_etime;
        U32                     sysctl_aevent_rseqth;
        int                     Sysctl_larval_drop;
        U32                     sysctl_acq_expires;
};
(include/net/netns/xfrm.h)

Initialization of XfrmIn IPv4, XFRM initialization works in the Xfrm_init () function, its call stack is Ip_rt_init ()->xfrm4_init ()->xfrm_init (), Ip_rt_init () method is located in net/ipv4/ route.c file. In IPv6, XFRM initialization is achieved by calling the Xfrm6_init () method in the Ipv6_route_init () method. Communication between user space and the kernel can be achieved by creating a NETLINK_XFRM type NetLink socket (socket) and sending/receiving NetLink messages.

static int __net_init xfrm_user_net_init (struct net *net)
{struct sock
        ;
        struct Netlink_kernel_cfg cfg = {
                . Groups = Xfrmnlgrp_max,
                . Input  = XFRM_NETLINK_RCV,
        };
 
        Nlsk = netlink_kernel_create (NET, netlink_xfrm, &cfg);
        . . .
        return 0;

Messages sent from user space (such as xfrm_msg_newpolicy creating a new security policy or XFRM_MSG_NEWSA creating a new security alliance) are handled by the XFRM_NETLINK_RCV () method, which is then xfrm_user_rcv_         MSG () method invocation (NetLink socket has been discussed in Chapter two). The XFRM policy and the XFRM state are the basic data structures for the XFRM framework, and then I'll explain what the XFRM strategy is and the xfrm status. XFRM StrategySecurity policy is a rule that tells IPSec whether a particular traffic should be handled or bypassed, and the xfrm_policy structure is used to describe the IPSec policy. A security policy contains a selector (a Xfrm_selector object). Provides a policy when its selector matches a stream. The XFRM selector has a range of attributes: such as source and destination address, source and destination port, protocol, and so on, to identify a stream with these attributes:

struct Xfrm_selector {
        xfrm_address_t  daddr;
        xfrm_address_t  saddr;
        __be16  Dport;
        __be16  Dport_mask;
        __be16  Sport;
        __be16  Sport_mask;
        __u16   family;
        __u8    Prefixlen_d;
        __u8    prefixlen_s;
        __u8    Proto;
        int     IfIndex;
        __kernel_uid32_t        user;

(include/uapi/linux/xfrm.h)

The Xfrm_selector_match () method uses xfrm selector, flow, and family (IPv4 corresponds to Af_inet,ipv6) as a parameter that returns True when a specific AF_INET6 traffic matches a specific selector. Note that the Xfrm_selector structure is also used in the XFRM state and will be seen later in this section. The security Policy (Policy) uses the Xfrm_policy structure to represent:

struct Xfrm_policy {... struct hlist_node bydst;
 
        struct Hlist_node byidx; /* This lock is affects elements except for entry.
        * * rwlock_t lock;
        atomic_t refcnt;
 
        struct Timer_list timer;
        struct Flow_cache_object flo;
        atomic_t GenID;
        U32 priority;
        U32 index;
        struct Xfrm_mark mark;
        struct Xfrm_selector selector;
        struct XFRM_LIFETIME_CFG lft;
        struct Xfrm_lifetime_cur curlft;
        struct Xfrm_policy_walk_entry walk;
        struct Xfrm_policy_queue POLQ;
        U8 type;
        U8 Action;
        U8 flags;
        U8 Xfrm_nr; U16 FAmily;
        struct XFRM_SEC_CTX *security;
struct Xfrm_tmpl xfrm_vec[xfrm_max_depth];

}; (include/net/xfrm.h)

The following focuses on some important members of the XFRM_POLICY structure: refcnt:xfrm reference count, initialized to 1 in the Xfrm_policy_alloc () method, and increasing the count in the Xfrm_pol_hold () method, in the Xfrm_pol_ Reduce the count in the put () method. Timer:per-policy timer, the callback function of the timer is set in the Xfrm_policy_timer () in the Xfrm_policy_alloc () method. The Xfrm_policy_timer () method handles when the policy expires: when a policy expires, the Xfrm_policy_delete () method is called to delete the corresponding policy, and the key that is registered by calling the Km_policy_expired () method The manager sends the Xfrm_msg_polexpire event. LFT:XFRM Policy Validity period (Xfrm_lifetime_cfg object), each XFRM policy has an expiration date (use time or byte count notation). The user can set the XFRM expiration date using the IP commands and the restricted parameters, such as: IP xfrm policy add src 172.16.2.0/24 DST 172.16.1.0/24 limit Byte-soft 6000... This command sets the soft byte limit for the expiration of the XFRM policy is 6000, see Help 8-ip xfrm. You can perform the Ip-stat xfrm Policy Show command to view the configuration entries for the validity period of the XFRM policy (LFT).         The current validity period of the curlft:xfrm policy, reflecting the current validity period of a policy, Curlft is a Xfrm_lifetime_cur object composed of four members, each of which is a unsigned type 64bit attribute         The number of bytes processed by the BYTES:IPSEC subsystem is incremented in the Xfrm_output_one () method of the TX path and the Xfrm_input () method of the RX path.         The number of packets processed by the PACKETS:IPSEC subsystem is increased in the Xfrm_output_one () method of the TX path and the Xfrm_input () method of the RX path.         Add_time: Adds a timestamp for the policy, which is initialized when the policy is added in the Xfrm_policy_insert () method and the Xfrm_sk_policy_insert () method. Use_time: The time of the latest access policy, the Use_time timestamp is updated in the Xfrm_lookup () method or the _xfrm_policy_check () method, using the Xfrm_policy_insert () method and the Xfrm_sk_ The Policy_insert () method is initialized to 0 when the policy is added. Note: You can perform the Ip-stat xfrm Policy Show command to view the configuration entries for the validity period, showing the current validity period (CURLFT) of a xfrm policy.

(To be continued)

Original source from the network, if interested to read the original text directly (http://apprize.info/linux/kernel/11.html)