From owner-freebsd-net@FreeBSD.ORG Sat Aug 4 16:54:21 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A9B716A41F for ; Sat, 4 Aug 2007 16:54:21 +0000 (UTC) (envelope-from adityaa.kiran@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 8158F13C459 for ; Sat, 4 Aug 2007 16:54:21 +0000 (UTC) (envelope-from adityaa.kiran@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1317637waf for ; Sat, 04 Aug 2007 09:54:21 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=LCwGZhw+qid10pW+HyqhVimFmnq1hzYE/6kCJnZ7FziPuERGAzqyKlUa/HOs8qxXAUtg7Cl2NFB5Ee62otxKGhieBLEdvvezd1cGgrX2o37HwOcZ7dJdISVxos8WT9bmbEGLDekn9m38pTGjTkXA8OnHoRvjRS1O83EOk+YBgX8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=c/n46G/Bf1bAkLmcmg3gecmpL7enqbXLWVrXecl2zMAqIzGMVHcX2PHeMqBpfCVFXvZqTmJ5fjoaacbm9fXJjs2ItsE0hCsr7KcjhBOA1e5/oxUZIL4BQVbQx1wA3MRLGsHcRxpWf4HLu94gcCNzM4nm5nYVICQ9hBZE3GIKUr8= Received: by 10.115.59.4 with SMTP id m4mr4053887wak.1186246461142; Sat, 04 Aug 2007 09:54:21 -0700 (PDT) Received: by 10.114.72.3 with HTTP; Sat, 4 Aug 2007 09:54:21 -0700 (PDT) Message-ID: <994cd1cf0708040954w207cb516na2fa14ad8694bb6d@mail.gmail.com> Date: Sat, 4 Aug 2007 22:24:21 +0530 From: "aditya kiran" To: "George V. Neville-Neil" In-Reply-To: MIME-Version: 1.0 References: <994cd1cf0707251039j7eaf167fh5851fc979ee2b60@mail.gmail.com> <46A7E70E.70204@zyxel.com.tw> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, blue Subject: Re: Ipsec - PF_KEY and set_policy X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2007 16:54:21 -0000 Hi George, Thanks a lot for the clarification.. Yeah, i was quite confused with ipsec_set_policy - which has multiple definitions, one which converts the human readable policy format and another one inside the kernel.. doing a little bit of code walk through, it looks like the second one is called when policy is set on the socket.. Thanks, Adityaa On 7/27/07, George V. Neville-Neil wrote: > > At Thu, 26 Jul 2007 08:13:02 +0800, > blue wrote: > > > > As far as I know, setkey is used for IPsec SP and SA configuration. > > ipsec_set_policy() could transfer a string to "policy request", which is > > defined in RFC 2367 PF_KEY. Internally, setkey() will call > > ipsec_set_policy() to construct the message then send it down to the > > kernel. However, ipsec_set_policy() is used only for SP, not SA. > > > And expanding on this just a bit, there is a difference between a > policy (SP) and an association (SA) which is important to understand. > A policy describes something more general, such as "Between network A > and network B use an IPSEC ESP tunnel for all traffic." while an > association is an active communication channel like, "Between address > A and address B we have a tunnel using ESP with key X." There are two > databases in the kernel for this, a Security Policy Database which is > manipulated using the ipsec_set_policy() routing, and a Security > Association Database which is manipulated using direct calls to PF Key > sockets. > > See RFC 2401 for a good intro to these concepts. > > Best, > George >