[Openswan dev] New IPsec user application
Ulrich Weber
uweber at astaro.com
Thu Apr 26 15:59:36 EDT 2007
> Great - thanks for the pointers. I'll try those lists now. I
> take it http://marc.info/?l=linux-netdev is the best place to ask
> for questions about XFRM and KLIPS and the NETKEY interface?
>
Depends, first you have to decide which IPSec implementation you want
to extend for your needs, KLIPS or Native IPSec.
For KLIPS you're right on this list, for the latter one netdev is the
right place.
> On the question of IP fragmentation - in my scenario all packets to
> be sent over these SAs are (or should be) originated by my
> application and sent over the standard sockets interface. So any
> IP fragments should only be created by the outbound IP stack. I
> believe (and my reading seems to confirm this), that IPsec
> encapsulation of an outgoing packet occurs before any IP
> fragmentation of those packets. So hopefully my ports will still
> be available.
>
You are right, that could work.
> Of course in the general case of traffic forwarding (say if the
> device is acting as a router), you're correct that this approach
> will not work.
>
> Please let me know if I've misunderstood, or if you know of an
> easier way to achieve what I want (say a socket option that allows
> you to specify the SA to use for traffic sent over this socket).
>
Have a look at selinux ipsec. Seems they have already implementet
something with socket base IPSec SAs:
http://www.nsa.gov/selinux/papers/ols2006.odp
Cheers
Ulrich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20070426/fcee7d02/attachment.html
More information about the Dev
mailing list