Re: IPsec vs ssh

To: Robert Elz <kre%munnari.OZ.AU@localhost>
Subject: Re: IPsec vs ssh
From: Arnaud Degroote <arnaud.degroote%laas.fr@localhost>
Date: Mon, 11 Nov 2013 13:18:25 +0100

On 11/Nov - 18:45, Robert Elz wrote:
>     Date:        Mon, 11 Nov 2013 11:49:14 +0100
>     From:        Arnaud Degroote <degroote%NetBSD.org@localhost>
>     Message-ID:  <20131111104914.GB6456@bugfree>
> 
> 
>   | If you want to use a programming interface instead of setkey, you can
>   | use the function ipsec_set_policy (3) from libipsec which takes the same
>   | kind of input than setkey (8).
> 
> Thanks, that does help a little - but that interface just seems to take
> a textual description of the policy (which I don't have, but could produce
> with a little sprintf'ing - though doing so seems a little perverse),
> and converts it into a binary structure (that I could probably just fill
> in with C assignment statements - the values for it should not be hard to 
> find,
> and don't in any way depend upon any external specification - just what
> port numbers happen to have been assigned to my socket when it connected)
> 
> But, that doesn't tell me what to do with the structure when I have built
> it, and I think that's really what I wanted to know.
> 
>   | Some low-level API exists, but are not documented.
> 
> That's what I was afraid of.   And I think it is that that I really need
> to get access to.
> 
>   | Dig into libpfkey.h.
> 
> Thanks, but ... that shows me the structure used, which contains many
> fields whose purpose is way beyond anything I can even guess at, and
> prototypes for lots of functions whose purpose I have no idea of (I
> have just taken a quick glance so far, but there look to be too many
> for pure trial and error to ever come up with anything useful.)
> 
>   | The protocol used if PFKEY, as described in RFC 2367.
>  
> That probably helps more, thanks - do we believe that NetBSD supports
> the interface in that RFC completely?
> 
I would say YES + some extensions. Through, it is not a 100% guarantee.

You should look closer at

pfkey_send_add2 (add SA)
pfkey_send_update2 (update SA)
pkfey_send_delete (delete SA)

and 

pfkey_send_spd{add,update,delete} (add,update,delete SP)

The code, in correlation with the RFC, is relatively simple to
understand.
Or you can use directly pfkey_{send, recv} which use directly sadb_msg
(in net/pfkeyv2.h)


-- 
Arnaud Degroote
Postdoc
RIA LAAS - CNRS

Attachment: signature.asc
Description: Digital signature

References:
- Re: IPsec vs ssh
  - From: Arnaud Degroote
- Re: IPsec vs ssh
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: John Nemeth
- Re: IPsec vs ssh
  - From: Robert Elz
- Re: IPsec vs ssh
  - From: Robert Elz

Prev by Date: Re: IPsec vs ssh
Next by Date: Re: IPsec vs ssh
Previous by Thread: Re: IPsec vs ssh
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index