##### USAGI IPsec #####

Table of Contents
       1. How to Apply Patches
       2. Cipher/Digest Algorithm
       3. PF_KEY v2 Implementation
       4. IPsec Implementation
       4.1 Supported Header Order
       4.2 IPsec Mode
       4.3 Packet Processing
       4.4 Conformance Test
       5. New and Changed Files
       6. References
       7. Acknowledgements
--------------------------
1. How to Apply Patches

       1. apply CryptoAPI patch (if you need to compile for test)
       2. apply ipsec-2.4.20-pre10-ALL.patch.gz
          or ipsec-2.5.43-ALL-03.patch.gz

       We also prepared rough split patches.
       (for PF_KEY, IPv6 and IPv4 part)
       If you apply them instead of ipsec-*-ALL.patch.gz,
       please apply following order:
               ipsec-2.4.20-pre10-PFKEY.patch.gz
               ipsec-2.4.20-pre10-IPV6.patch.gz
               ipsec-2.4.20-pre10-IPV4.patch.gz
       (sorry we haven't prepared rough split patches for 2.5)


2. Cipher/Digest Algorithm

       Supported algorithm:
               Ciphers: DES, 3DES and AES
               Digests: MD5 and SHA1

       We use CryptoAPI as cipher/digest algorithm.
       - CryptoAPI
               http://www.kerneli.org/

3. PF_KEY v2 Implementation

       We introduced struct sockaddr_storage{} to handle both IPv4 and
       IPv6 in Security Association Database (SADB) and Security
       Policy Database (SPD).

       We conform to RFC2367 (PF_KEY_V2).
       Many other implementations have extended PF_KEY_V2 protocol to
       process IPsec Security Policy. We have implemented FreeS/WAN's
       PF_KEY extension in order to be compatible with their
       IKEv1 daemon (Pluto).

4. IPsec Implementation

       RFC 2401  Security Architecture for IP
       RFC 2402  IP Authentication Header
       RFC 2406  IP Encapsulating Security Payload

4.1 Supported Header Order

       We support [AH], [ESP], and [AH][ESP].

4.2 IPsec Mode

       Transport Mode

               IPv[46]:
                We implemented inside IP stack.

       Tunnel Mode
               We implemented  IPsec Tunnel Mode by making use of IP
               over IP tunnel

               IPv6:
                We realized it by making use of HUT(mipl) IPv6 over
                IPv6 tunnel.

               IPv4:
                Not yet implemented.(Do we use net/ipv4/ipip.c ?)

4.3 Packet Processing

       Inbound Processing

       Our implementation parses AH and ESP in extension header
       parsing routine (ipv6_parse_exthdrs()). The kernel
       parses AH and ESP and keeps the information of SAs which are
       used during the processing in skb->cb as struct inet6_skb_parm{}.
       The kernel keeps the AH SA information as offset from a IPv6
       header  (the kernel doesn't remove AH header).
       It also keeps ESP SA information as SPI value.

       If there is something wrong in processing AH and/or ESP, the
       kernel drops the packet. When processing completes successfully,
       the kernel compares SAs information and policy in
       ipsec6_input_check(), which is called from ip6_input_finish().

       When using tunnel mode, there are a couple of differences from
       transport mode. The AH and ESP parsing is same as transport
       mode. However, in tunnel mode the kernel uses the inner header's
       addresses as key to lookup IPsec Security Policy Database.

       Outbound Processing

       The kernel checks IPsec Security Policy Database using as a key
       the src/dst address pair. If it matches with the action applying
       IPsec, start IPsec processing (preparing AH calculation, ESP
       encryption, AH calculation).

4.4 Conformance Test

       We have tested TAHI <http://www.tahi.org/> conformance test.
       The results are fine.

5. New and Changed Files

net/key:
Config.in               (NEW) -
Makefile                (NEW) -
af_key.c                (NEW) - PF_KEY_V2 socket interface
                               (derived from FreeS/WAN 1.9
                                pfkey_v2.c. changed a lot.)
pfkey_v2_build.c        (NEW) - building PF_KEY message
                               (derived from FreeS/WAN 1.9
                                changed a little.)
pfkey_v2_ext_bits.c     (NEW) - (derived from FreeS/WAN 1.9.
                                changed a little.)
pfkey_v2_msg.c          (NEW) - PF_KEY helper functions(SA lifetime,...)
pfkey_v2_msg.h          (NEW) - header file for pfkey_v2_msg.c
pfkey_v2_msg_add.c      (NEW) - processing SADB_ADD message
pfkey_v2_msg_delete.c   (NEW) - processing SADB_DELETE message
pfkey_v2_msg_flow.c     (NEW) - processing SADB_X_ADDFLOW
                               and SADB_X_DELFLOW messages
pfkey_v2_msg_get.c      (NEW) - processing SADB_GET message
pfkey_v2_msg_getspi.c   (NEW) - processing SADB_GETSPI message
pfkey_v2_msg_update.c   (NEW) - processing SADB_UPDATE message
sa_index.c              (NEW) - Security Association (SA) index
                               (handle struct sa_index{})
sadb.c                  (NEW) - SA Database
sockaddr_utils.c        (NEW) - utilities
sockaddr_utils.h        (NEW) - utilities
spd.c                   (NEW) - Security Policy (SP) Database
sysctl_net_ipsec.c      (NEW) - sysctls (replay window and debug switch.)

net/ipv6:
Config.in               (CHANGED)
Makefile                (CHANGED)
exthdrs.c               (CHANGED) - inserted ipsec processing functions
ip6_input.c             (CHANGED) - inserted ipsec processing functions
ip6_output.c            (CHANGED) - inserted ipsec processing functions
ipsec6_input.c          (NEW)     - IPsec processing for input packet
ipsec6_output.c         (NEW)     - IPsec processing for output packet
ipv6_sockglue.c         (CHANGED) - inserted IPsec processing functions.
ndisc.c                 (CHANGED) - inserted ipsec processing functions
                                   (for ND packets)
reassembly.c            (CHANGED) - inserted IPsec processing functions.
tcp_ipv6.c              (CHANGED) - inserted IPsec processing functions.
                                   (based IABG IPv6 implementation)
net/ipv4:
Config.in               (CHANGED) -
Makefile                (CHANGED) -
ip_input.c              (CHANGED) - inserted ipsec processing functions
ip_output.c             (CHANGED) - inserted ipsec processing functions
ipsec4_input.c          (NEW)     - IPsec processing for input packet
ipsec4_output.c         (NEW)     - IPsec processing for output packet
tcp_ipv4.c              (CHANGED) - inserted ipsec processing functions

include/linux:
ip.h                    (CHANGED) - introduced struct ip_auth_hdr{}
                                   and ip_esp_hdr{}.
ipsec.h                 (CHANGED) - added IPsec actions and
                                   IPsec4 processing functions.
ipsec6.h                (NEW)     - added IPsec6 processing functions.
pfkey.h                 (NEW)     - PF_KEY related structs
                                   (derived from FreeS/WAN 1.9)
pfkeyv2.h               (NEW)     - PF_KEY_V2 header file
ipv6.h                  (CHANGED) - introduced struct ipv6_auth_hdr{}
                                   and ipv6_esp_hdr.
                                   added  'espspi' member
                                   in struct inet6_skb_parm.
socket.h                (CHANGED) - introduced struct sockaddr_storage{}
                                   to handle both IPv4 and IPv6
                                   sockaddr in SADB/SPD.
sysctl.h                (CHANGED) - added IPsec entry.

include/net:
sadb.h                  (NEW)     - SA Database header file
spd.h                   (NEW)     - SP Database header file
ipv6.h                  (CHANGED) - changed ipv6_parse_exthdrs()

6. References

       USAGI Project http://www.linux-ipv6.org/
       CryptoAPI http://www.kerneli.org/
       FreeS/WAN http://www.freeswan.org/
       IABG http://www.ipv6.iabg.de/

7. Acknowledgements

       Joy Latten <[email protected]>
       and IBM IPv6 team