Park Lee wrote:
> I'm using racoon of IPsec-Tools to automately set up SA for native
> IPsec in Linux kernel 2.6.
> Now, I'm doing some research on IPsec. Here in kernel space, I've
> acquired some data (These data have nothing with the original IPsec,
> It's merely some data I got in the kernel space). What I want to do is
> to send these data from kernel to racoon before racoon begins its
> negotiation. and thus when racoon begins the negotiation, it can also
> send these data to its peer when setting up a SA (i.e. when racoon
> finish its work, these data should also be included in the SA on both
> sides for later use).
> I've looked through the RFC2367 (PF_KEY Key Management API, Version
> 2), But it seems that the messages, such as SADB_ACQUIRE, are unsuitable
> to carry my data from kernel to racoon. How to acheive this? Could you
> please give me some hints?
Park, if you would tell us what's wrong with acquire it would be MUCH
easier for us to suggest something sensible.
I guess, you need separate IPSec SA for for every group of network
objects with equal color code. Right? Then, I would:
- add field for colorcoding into SA datastructure;
- extend SA selection algorithm to include check for color code;
- if kernel will not find appropriate SA, it will send ACQUIRE message,
which has to be extended with required colorcode ant other info you need
(most likely by adding KMPRIVATE extension);
- extend racoon to understand that data and exchange it with peer. After
successfull negotiation new SA will be added by racoon;
- kernel will find that SA and use it for sending data to peer.
If I'm answering the wrong question, please let us know what the
GM Consult Group, UAB