Date: Sat, 4 Aug 2007 22:24:21 +0530 From: "aditya kiran" <adityaa.kiran@gmail.com> To: "George V. Neville-Neil" <gnn@neville-neil.com> Cc: freebsd-net@freebsd.org, blue <susan.lan@zyxel.com.tw> Subject: Re: Ipsec - PF_KEY and set_policy Message-ID: <994cd1cf0708040954w207cb516na2fa14ad8694bb6d@mail.gmail.com> In-Reply-To: <m2zm1i1hm0.wl%gnn@neville-neil.com> References: <994cd1cf0707251039j7eaf167fh5851fc979ee2b60@mail.gmail.com> <46A7E70E.70204@zyxel.com.tw> <m2zm1i1hm0.wl%gnn@neville-neil.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi George, Thanks a lot for the clarification.. Yeah, i was quite confused with ipsec_set_policy - which has multiple definitions, one which converts the human readable policy format and another one inside the kernel.. doing a little bit of code walk through, it looks like the second one is called when policy is set on the socket.. Thanks, Adityaa On 7/27/07, George V. Neville-Neil <gnn@neville-neil.com> wrote: > > At Thu, 26 Jul 2007 08:13:02 +0800, > blue wrote: > > > > As far as I know, setkey is used for IPsec SP and SA configuration. > > ipsec_set_policy() could transfer a string to "policy request", which is > > defined in RFC 2367 PF_KEY. Internally, setkey() will call > > ipsec_set_policy() to construct the message then send it down to the > > kernel. However, ipsec_set_policy() is used only for SP, not SA. > > > And expanding on this just a bit, there is a difference between a > policy (SP) and an association (SA) which is important to understand. > A policy describes something more general, such as "Between network A > and network B use an IPSEC ESP tunnel for all traffic." while an > association is an active communication channel like, "Between address > A and address B we have a tunnel using ESP with key X." There are two > databases in the kernel for this, a Security Policy Database which is > manipulated using the ipsec_set_policy() routing, and a Security > Association Database which is manipulated using direct calls to PF Key > sockets. > > See RFC 2401 for a good intro to these concepts. > > Best, > George >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?994cd1cf0708040954w207cb516na2fa14ad8694bb6d>