[Openswan dev] Openswan support for RFC 4301

Paul Wouters paul at xelerance.com
Thu Jan 13 09:13:32 EST 2011


On Thu, 13 Jan 2011, Patricia de Noriega wrote:

> Does openswan support RFC 4301? I'm interested specifically in how it search
> in the SAD.
> 
> This RFC search as follows:
> 
>       1. Search the SAD for a match on the combination of SPI,
>          destination address, and source address.  If an SAD entry
>          matches, then process the inbound packet with that
>          matching SAD entry.  Otherwise, proceed to step 2.
> 
>       2. Search the SAD for a match on both SPI and destination address.
>          If the SAD entry matches, then process the inbound packet
>          with that matching SAD entry.  Otherwise, proceed to step 3.
> 
>       3. Search the SAD for a match on only SPI if the receiver has
>          chosen to maintain a single SPI space for AH and ESP, and on
>          both SPI and protocol, otherwise.  If an SAD entry matches,
>          then process the inbound packet with that matching SAD entry.
>          Otherwise, discard the packet and log an auditable event.
> 
> Does openswan the same?

1) and 2) yes, 3) prob not.

Note that there are two kernel stacks that can be used with openswan, they
might act differently in small ways.

I believe searching the SADs is done with a radij tree (in KLIPS). See
linux/net/ipsec/ipsec_radij.c

You can follow the kernel process closely if you run "ipsec klipsdebug --all",
send a packet, and then run dmesg.

With NETKEY, you'll have to check the source. There is no debugging facilities
in that ipsec stack.

Paul


More information about the Dev mailing list