[Swan-dev] child?
Andrew Cagney
andrew.cagney at gmail.com
Fri Mar 27 17:51:44 EET 2015
I'd like to clarify what a "child" is within pluto. Trying to map the V2
spec onto the code is, well, confusing. Here's why:
- ``IKE is a component of IPsec used for performing mutual authentication
and establishing and maintaining Security Associations (SAs)''
lets look for "security association", since it needs to contain lots of
crypto stuff it should be easy to find. Ah, there's this thing called
"state".
So the "state" object is used for the Security Association. Strange name,
but lets work with it ....
- ``The CREATE_CHILD_SA exchange is used to create new Child SAs and to
rekey both IKE SAs and Child SAs.''
"child" should be easy to find and yes, there are parent and child
SAs/states.
So the state object again corresponds to the Security Association.
Presumably the "struct connection" in "struct state" is only used for child
SAs.
- ``Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH
exchanges (known in IKEv1 as Phase 1).''
Lets look for a state machine. Can't miss that. Oh, wait, now we know why
"state" is called state.
So the "state" object is used for BOTH a Security Association and the
IKE(parent) state machine.
- ``All IKE communications consist of pairs of messages: a request and a
response. The pair is called an "exchange", and is sometimes called a
"request/response pair''
Ok, lets look for "exchange" in the code, hmm.... Beyond comments and
strings, not much luck. Dig further. Oh, look, "child" state objects are
being created when ever there is any sort of exchange and not for
establishing child SAs.
WT.?
So we've a single object that contains:
- the IKE(parent) state machine
- Security Association keying material
- local state pertaining to any arbitrary message exchange
- the connection for the child SA
So, to my question, what exactly does IS_CHILD(state) mean? It seems to be
both:
- a child exchange
- a child SA
?
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20150327/0afabbdb/attachment.html>
More information about the Swan-dev
mailing list