?? klips2-design-api-trips.txt
字號:
# -*- mode: Outline; fill-column: 78; fill-prefix: " " -*-## klips2-design-api-trips.txt# Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>## RCSID $Id: klips2-design-api-trips.txt,v 1.8 2001/05/30 08:00:14 rgb Exp $## This document outlines various trips that are made through the# various APIs for different scenarios. Please see klips2-design.txt# for an overview.# Several scenario titles are listed. Under each scenario title is# listed point form text to describe what action is happenning and/or# the reason for the following calls. Following the descriptive text# is a origin and destination entity interface description. Within# each interface description is a list of specific arguments used or# that need to be added to accomplish the action.Opportunistic encryption: - put a trap in place from KMd KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK char[] -d DADDR/DMASK char[] --protocol PROTO char[] --sport SPORT char[] --dport DPORT char[] --uid-owner UID char[] --seclev seclevstr char[] -J TRAP out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev target TRAP - packet comes NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - packet matches TRAP NetFilter -> TRAP target NetFilter kernel module in: struct sk_buff *skb out: unsigned int = NF_STOLEN - send up an ACQUIRE TRAP target NetFilter kernel module -> KMds (PF_KEYv2 ACQUIRE) see RFC2367, PF_KEYv2 ACQUIRE - create HOLD target with skb info and store the first packet TRAP target NetFilter kernel module -> NetFilter in: struct sk_buff *skb out: boolean - next packet comes in while KMd is negotiating SAs. NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - packet matches HOLD so discard previous skb (packet) and store this one NetFilter -> HOLD target NetFilter kernel module in: struct sk_buff *skb out: unsigned int = NF_STOLEN - put the new SAs in place once the negotiations have succeeded KMd -> SADB (PF_KEYv2 ADD/UPDATE) see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA - add ENCRYPT target with specific SAs to use KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK char[] -d DADDR/DMASK char[] --protocol PROTO char[] --sport SPORT char[] --dport DPORT char[] --uid-owner UID char[] --seclev seclev char[] -J ENCRYPT char[] --salist SAList out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> ENCRYPT target iptables(8) library ip6tables(8) -> ENCRYPT target ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev target ENCRYPT struct ip_said SA[, ...] - add ACCEPT target for once the packet is processed KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK (local SG) char[] -d DADDR/DMASK (remote SG) char[] --proto ESP char[] --salist SAList char[] --espspi SPI char[] -J ACCEPT out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> sa match iptables(8) library ip6tables(8) -> sa match ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev struct ip_said SA[, ...] - replace HOLD target with ENCRYPT target, releasing skb HOLD target NetFilter kernel module -> NetFilter (I don't know the best way to show this on the diagram, since the skb is stored with the eroute and not the HOLD target module) in: struct sk_buff *skb - send released packet through newly created ENCRYPT target and SAs NetFilter -> ENCRYPT target NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[, ...] out: unsigned int = NF_STOLEN - fetch SAs specified in NetFilter table entry with ENCRYPT args ENCRYPT target NetFilter kernel module -> SADB (SAID) in: struct ip_said SA out: struct tdb *tdbp - send skb (packet) back into NF_IP_POST_ROUTE ENCRYPT target NetFilter kernel module -> NetFilter in: struct sk_buff *skb struct ip_said SA[,...] - expire SA if a limit is reached SADB -> KMd (PF_KEYv2 EXPIRE) see RFC2367, PF_KEYv2 EXPIRE Outgoing w/existing connection specifying SAs - put the new SAs in place once negotiations have succeeded KMd -> SADB (PF_KEYv2 ADD/UPDATE) see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA - put in a rule to match packets for that set of SAs KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK char[] -d DADDR/DMASK char[] --protocol PROTO char[] --sport SPORT char[] --dport DPORT char[] --uid-owner UID char[] --seclev seclev char[] -J ENCRYPT char[] --salist SAList out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> ENCRYPT target iptables(8) library ip6tables(8) -> ENCRYPT target ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev target ENCRYPT struct ip_said SA[, ...] - add ACCEPT for once the packet is processed KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK (local SG) char[] -d DADDR/DMASK (remote SG) char[] --proto ESP char[] --salist SAList char[] --espspi SPI char[] -J ACCEPT out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> sa match iptables(8) library ip6tables(8) -> sa match ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev struct ip_said SA[, ...] target ACCEPT - outgoing packet is tested on selectors NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - matching packet is sent to ENCRYPT target with SAList NetFilter -> ENCRYPT target NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[, ...] out: unsigned int = NF_STOLEN - fetch SAs specified in NetFilter table entry with ENCRYPT args ENCRYPT target NetFilter kernel module -> SADB (SAID) in: struct ip_said SA out: struct tdb *tdbp - send skb (packet) back into NF_IP_POST_ROUTE ENCRYPT target NetFilter kernel module -> NetFilter in: struct sk_buff *skb struct ip_said SA[,...] - outgoing processed packet is tested on selectors and ACCEPTed NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - expire SA if a limit is reached SADB -> KMd (PF_KEYv2 EXPIRE) see RFC2367, PF_KEYv2 EXPIRE Outgoing w/existing connection routing through IPSec device - put the new SAs in place once negotiations have succeeded KMd -> SADB (PF_KEYv2 ADD/UPDATE) see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA - put in a rule to match packets for that set of SAs KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK char[] -d DADDR/DMASK char[] --protocol PROTO char[] --sport SPORT char[] --dport DPORT char[] --uid-owner UID char[] --seclev seclev char[] --out-interface IPSECdev char[] -J ENCRYPT char[] --salist SAList out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> ENCRYPT target iptables(8) library ip6tables(8) -> ENCRYPT target ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev target ENCRYPT struct ip_said SA[, ...] KMd -> Routing Table (Routing) see route(8) or iproute2(8), currently done by system(3) calls to _updown. in: char[] IPSECdev out: unsigned char exit_code - add ACCEPT for once the packet is processed KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK (local SG) char[] -d DADDR/DMASK (remote SG) char[] --proto ESP char[] --espspi SPI char[] --salist SAList char[] -J ACCEPT out: unsigned char exit_code iptables(8) -> seclev match iptables(8) library ip6tables(8) -> seclev match ip6tables(8) library in: char[] --seclev seclevstr out: struct seclev iptables(8) -> sa match iptables(8) library ip6tables(8) -> sa match ip6tables(8) library in: char[] --salist SAList out: struct ip_said SA[, ...] iptables(8) -> NetFilter ip6tables(8) -> NetFilter I/F is already defined in NetFilter. In addition, it will need structures to pass the following: in: struct seclev struct ip_said SA[, ...] - outgoing packet is tested on match modules NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - outgoing packet matches IPSECdev and is sent to ENCRYPT target with SAList NetFilter -> ENCRYPT target NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[, ...] out: unsigned int = NF_STOLEN - fetch SAs specified in NetFilter table entry with ENCRYPT args ENCRYPT target NetFilter kernel module -> SADB (SAID) in: struct ip_said SA out: struct tdb *tdbp - send skb (packet) back into NF_IP_POST_ROUTE ENCRYPT target NetFilter kernel module -> NetFilter in: struct sk_buff *skb struct ip_said SA[,...] - processed packet is tested on match modules and ACCEPTed NetFilter -> seclev match NetFilter kernel module in: struct sk_buff *skb struct seclev out: boolean NetFilter -> sa match NetFilter kernel module in: struct sk_buff *skb struct ip_said SA[,...] out: boolean - expire SA if a limit is reached SADB -> KMd (PF_KEYv2 EXPIRE) see RFC2367, PF_KEYv2 EXPIRE Incoming w/existing connection specifying SAs - put in the new SAs in place once the negotiations have succeeded KMd -> SADB (PF_KEYv2 ADD/UPDATE) see RFC2367, PF_KEYv2 ADD/UPDATE message for each SA - put in a blocking entry to prevent unprotected packets entering KMd -> iptables(8) system(3) call (Policy) KMd -> ip6tables(8) system(3) call (Policy) in: char[] -I char[] -s SADDR/SMASK char[] -d DADDR/DMASK char[] --protocol PROTO char[] --sport SPORT char[] --dport DPORT?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -