[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 03127) Re: [Ipsec-tools-devel] Issues on calling racoon in Linux kernel 2.6
- To: Park Lee <parklee_sel@xxxxxxxxx>
- Subject: (usagi-users 03127) Re: [Ipsec-tools-devel] Issues on calling racoon in Linux kernel 2.6
- From: Aidas Kasparas <a.kasparas@xxxxxx>
- Date: Fri, 19 Nov 2004 08:52:11 +0200
- Cc: ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
- In-reply-to: <20041118163550.49718.qmail@web51501.mail.yahoo.com>
- References: <20041118163550.49718.qmail@web51501.mail.yahoo.com>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Resent-date: Fri, 19 Nov 2004 15:53:01 +0900
- Resent-from: yoshfuji@xxxxxxxxxxxxxx
- Resent-message-id: <200411191553.FMLAAB25116.usagi-users@linux-ipv6.org>
- Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
- User-agent: Mozilla Thunderbird 0.8 (X11/20040918)
Park Lee wrote:
Then, Where is the code in the source code of Linux kernel 2.6 to
call racoon? When kernel calls racoon, can it transfer some additional
attributes to racoon (so that racoon can finally setup a IPsec SA with
these additional attributes) ?
The code is at net/key/af_key.c . It implements PF_KEY protocol.
Requests to establish a SA are sent to every program, which have open
PF_KEY socket and requested to receive such requests. Basis for PF_KEY
protocol is documented in RFC 2367, but linux kernel and racoon
implement extended version of that spec (I don't know better
documentation for extensions than source).
Taking your previous messages into account I would like to point you
that even RFC version has "Sensitivity Extension" (see 2.3.6). Both
kernel and racoon knows about this structure, but do not use it AFAIK.
If this is not suits your needs, kernel has KMPRIVATE extension, which
can be used for whatever. I'm not aware about rules how to use and how
not to use it.
--
Aidas Kasparas
IT administrator
GM Consult Group, UAB