Re: Ipsec - PF_KEY and set_policy
- From: "George V. Neville-Neil" <gnn@xxxxxxxxxxxxxxxx>
- Date: Fri, 27 Jul 2007 15:32:55 +0900
At Thu, 26 Jul 2007 08:13:02 +0800,
blue wrote:
And expanding on this just a bit, there is a difference between a
As far as I know, setkey is used for IPsec SP and SA configuration.
ipsec_set_policy() could transfer a string to "policy request", which is
defined in RFC 2367 PF_KEY. Internally, setkey() will call
ipsec_set_policy() to construct the message then send it down to the
kernel. However, ipsec_set_policy() is used only for SP, not SA.
policy (SP) and an association (SA) which is important to understand.
A policy describes something more general, such as "Between network A
and network B use an IPSEC ESP tunnel for all traffic." while an
association is an active communication channel like, "Between address
A and address B we have a tunnel using ESP with key X." There are two
databases in the kernel for this, a Security Policy Database which is
manipulated using the ipsec_set_policy() routing, and a Security
Association Database which is manipulated using direct calls to PF Key
sockets.
See RFC 2401 for a good intro to these concepts.
Best,
George
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- References:
- Ipsec - PF_KEY and set_policy
- From: aditya kiran
- Re: Ipsec - PF_KEY and set_policy
- From: blue
- Ipsec - PF_KEY and set_policy
- Prev by Date: Re: IPv6 IPsec tunnel configuration
- Next by Date: Re: SADB_X_SPDFLUSH message handling for latest version of IPsec
- Previous by thread: Re: Ipsec - PF_KEY and set_policy
- Next by thread: MPD and fragmentation
- Index(es):
Relevant Pages
|
|
