#4 To obtain IPSEC statistics through adminport

closed
nobody
None
5
2009-01-16
2005-02-15
Ram
No

To obtain IPSEC statistics through adminport - A means
to obtain the number of bytes/packets per connection
(SPI) which go as encrypted/unencrpted in each
direction - "in", "out", "fwd".

As this may require a kernel patch, this kernel patch and
a suitable interface to obtain this kernel info is to be
incorporated.

Discussion

  • Aidas Kasparas
    Aidas Kasparas
    2005-02-15

    Logged In: YES
    user_id=39627

    Why do you need to do that through adminport?

    You see, en/de-capsulation of data packets into/from ipsec
    packets is a matter of kernel. Racoon is involved in this
    business only to set SA which govern that process. Therefore
    adminport is not appropriate place to insert that functionality.

    Part of information you requested is alreasy available
    otherwise:
    1) number of unencrypted bytes is show by "setkey -D"
    (accuracy should be checked, as I send ping, ping claimed it
    sends 64 bytes packets, but that number increased only by 56);
    2) number of encrypted bytes can be found through iptables
    (you have to select -p esp and optionally required SPI).
    Yes, I understand that it is tricky to setup such iptables
    rule in dynamic environment before packets will go using
    that SPI.

    By extending kernel and setkey utility one could make number
    of encrypted bytes available at the same place as number of
    unencrypted bytes. That would require:
    1) counting such bytes in kernel;
    2) introduce new payload in PFKEY, fill it in kernel side;
    3) teach setkey to understand that payload.

    As the first two will involve kernel, you have to supply
    very good reason for this feature for it to be developed
    and go to mainline kernel.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.