(usagi-users 03133) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?

[Aidas Kasparas <a.kasparas@xxxxxx>]

Park Lee wrote:
> Hi,
>    I'm using racoon of IPsec-Tools to automately set up SA for native 
> IPsec in Linux kernel 2.6.
>     Now, I'm doing some research on IPsec. Here in kernel space, I've 
> acquired some data (These data have nothing with the original IPsec, 
> It's merely some data I got in the kernel space). What I want to do is 
> to send these data from kernel to racoon before racoon begins its 
> negotiation. and thus when racoon begins the negotiation, it can also 
> send these data to its peer when setting up a SA (i.e. when racoon 
> finish its work, these data should also be included in the SA on both 
> sides for later use).

>   I've looked through the RFC2367 (PF_KEY Key Management API, Version 
> 2), But it seems that the messages, such as SADB_ACQUIRE, are unsuitable 
> to carry my data from kernel to racoon. How to acheive this? Could you 
> please give me some hints?  

Park, if you would tell us what's wrong with acquire it would be MUCH 
easier for us to suggest something sensible.

I guess, you need separate IPSec SA for for every group of network 
objects with equal color code. Right? Then, I would:
- add field for colorcoding into SA datastructure;
- extend SA selection algorithm to include check for color code;
- if kernel will not find appropriate SA, it will send ACQUIRE message, 
which has to be extended with required colorcode ant other info you need 
(most likely by adding KMPRIVATE extension);
- extend racoon to understand that data and exchange it with peer. After 
successfull negotiation new SA will be added by racoon;
- kernel will find that SA and use it for sending data to peer.

If I'm answering the wrong question, please let us know what the 
question is.


--
Aidas Kasparas
IT administrator
GM Consult Group, UAB