In the course of yesterday I went from simply studying 'man setkey' to
rummaging through kernel sources that deal with the implementation of
ipsec (unfortunately they weren't easy to find, given that the term
'ipsec' seemingly has been avoided at all cost for some reason).
Here's what I would like to do: set a security association for a
network, instead of between two hosts, with one line of configuration
(using a 'slash' bitmask identifier, for example) and one sadb entry.
From the way things are implemented now with getaddrinfo() and related
structures, it looks like my idea isn't possible at the moment.
Why do I want to do this? To implement groupkeys. More elaborately:
multicast, asynchronous key updates over potentially unstable and
low-bandwidth (mobile) networks, etc. Anyway, I have my reasons, and I
think I can say that they are valid.
From what I gather, it should be possible to do this, using:
- a change in the parsing logic of 'setkey' to include the 'slashy'
- a change from struct addrinfo to something that encapsulates networks
instead, with an address and a mask address.
- this change must then also be taken into the kernel, where the xfrm_*
code must be changed (I think most prominently, xfrm_addr_cmp, right ?)
to reflect the selection of this structure based on packet info.
- I am not sure (haven't looked any further) whether a state, linked to
a SA, is possible to have between multiple hosts (IV's? Replay
So, what do you think? Is it possible/desirable? Is this the right place
to put it forward?
KJ Hermans, Fox IT