<div>Hi Ulrich</div> <div> </div> <div>Great - thanks for the pointers. I'll try those lists now. I take it <A href="http://marc.info/?l=linux-netdev">http://marc.info/?l=linux-netdev</A> is the best place to ask for questions about XFRM and KLIPS and the NETKEY interface?</div> <div> </div> <div>On the question of IP fragmentation - in my scenario all packets to be sent over these SAs are (or should be) originated by my application and sent over the standard sockets interface. So any IP fragments should only be created by the outbound IP stack. I believe (and my reading seems to confirm this), that IPsec encapsulation of an outgoing packet occurs before any IP fragmentation of those packets. So hopefully my ports will still be available.</div> <div> </div> <div>Of course in the general case of traffic forwarding (say if the device is acting as a router), you're correct that this approach will not work.</div>
<div> </div> <div>Please let me know if I've misunderstood, or if you know of an easier way to achieve what I want (say a socket option that allows you to specify the SA to use for traffic sent over this socket).</div> <div> </div> <div>Regards</div> <div> </div> <div>Oli</div> <div><BR><BR><B><I>Ulrich Weber <uweber@astaro.com></I></B> wrote:</div> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Hi Olivier,<BR><BR>it's not quite the right mailing list. You could try http:// <BR>www.vpnc.org/ietf-ipsec/<BR>or http://marc.info/?l=linux-netdev<BR><BR><BR>What you wanna do has nothing to do with openswan.<BR>IPSec in Linux consists of kernel space and user space code.<BR><BR>Kernel space is either XFRM (Linux Native IPSec for 2.6)<BR>or KLIPS (Kernel IPSec implementation by Freeswan/Openswan for <BR>2.2/2.4/2.6).<BR><BR>User space (IKE program) is either openswan's pluto or racoon.<BR>Their
purpose is to install/delete SA (Security Associations) in <BR>kernel space<BR>via PF_KEY or NETKEY interface.<BR><BR>For more information about PF_KEY you can play with setkey program,<BR>see http://www.die.net/doc/linux/man/man8/setkey.8.html<BR><BR>For more information about NETKEY you can play with a<BR>recent iproute2 version, e.g. "ip xfrm state add ..."<BR><BR>><BR>> Requirements/Questions<BR>> ----------------------<BR>> Multiple SAs need to be supported to a given endpoint (IP <BR>> address). The choice of SA (for outbound packets) is controlled by <BR>> the transport level ports, so IPsec policy needs to be able to <BR>> associate a specific SA with a particular flow (flow being src+dest <BR>> IP address, transport protocol and ports).<BR>Not possible with the IPSec standard (Only IP/Protocol ID is supported).<BR>You dont have port information for each packet (IP fragmentation!).<BR>However you could abuse connection tracking for that and
extend <BR>kernel IPSec ...<BR><BR><BR>Cheers<BR>Ulrich<BR></BLOCKQUOTE><BR><p> 
                <hr size=1><font face="Arial" size="2">To help you stay safe and secure online, we've developed the all new <a href="http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http://uk.security.yahoo.com/"><b>Yahoo! Security Centre</b></a>.</font>