embedded IPsec source code documentation

Main Page | Alphabetical List | Data Structures | File List | Data Fields | Globals | Related Pages

ipsecdev.c File Reference

Detailed Description

IPsec network adapter for lwIP.

Author:
Christian Scheurer <http://www.christianscheurer.ch>
OUTLINE:

This network interface will be inserted between the TCP/IP stack and the driver of the physical network adapter. With this, all inbound and outbound traffic can be intercepted and forwarded to the IPsec stack if required.

IMPLEMENTATION:

The main duty of ipsecdev device is to identify the network traffic and forward it to the appropriate protocol handler:

  • AH/ESP => forward to ipsec_input()
  • IP traffic with policy BYPASS => forward to ip_input()
  • IP traffic with policy DISCARD, or traffic with policy APPLY but without IPsec header

To decide how packets must be processed, a lookup in the Security Policy Database is required. With this, all IPsec logic and IPsec related processing is put outside ipsecdev. The motivation is to separate IPsec processing from TCP/IP-Stack and network driver peculiarities. If the ipsec stack need to be ported to an other target, all major changes can be done in this module while the rest can be left untouched.

NOTES:

This version of ipsecdev is able to handle traffic passed by a cs8900 driver in combination with lwIP 0.6.3 STABLE. It has a similar structure as dumpdev or cs9800if.

This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.

Definition in file ipsecdev.c.

#include "lwip/mem.h"
#include "netif/ipsecdev.h"
#include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/sa.h"

Go to the source code of this file.

Defines

#define IPSECDEV_NAME0   'i'
#define IPSECDEV_NAME1   's'

Functions

void ipsecdev_service (struct netif *netif)
err_t ipsecdev_input (struct pbuf *p, struct netif *inp)
err_t ipsecdev_output (struct netif *netif, struct pbuf *p, struct ip_addr *ipaddr)
err_t ipsecdev_netlink_output (struct netif *netif, struct pbuf *p)
err_t ipsecdev_init (struct netif *netif)
void ipsec_set_tunnel (char *src, char *dst)

Variables

sad_entry inbound_sad_config []
spd_entry inbound_spd_config []
sad_entry outbound_sad_config []
spd_entry outbound_spd_config []
db_set_netif db_sets []
db_set_netifdatabases
netif mapped_netif
__u32 tunnel_src_addr
__u32 tunnel_dst_addr

Define Documentation

#define IPSECDEV_NAME0   'i'
 

1st letter of device name "is"

Definition at line 79 of file ipsecdev.c.

#define IPSECDEV_NAME1   's'
 

2nd letter of device name "is"

Definition at line 80 of file ipsecdev.c.

Function Documentation

void ipsec_set_tunnel char *  src,
char *  dst
 

Setter function for tunnel source and destination address

Parameters:
src source address as string (i.g. "192.168.1.3")
dst destination address as string (i.g. "192.168.1.5")
Returns:
void

Definition at line 481 of file ipsecdev.c.

err_t ipsecdev_init struct netif *  netif  ) 
 

Initialize the ipsec network device

This function must be called prior to any other operation with this device.

Parameters:
netif lwIP network interface data structure for this device. The structure must be initialized with IP, netmask and gateway address.
Returns:
err_t return code
Todo:
this should be somewhere else

selecting the right interface for mapping must be replaced by an more generic method

MAC addresses should be set somewhere else

Definition at line 402 of file ipsecdev.c.

err_t ipsecdev_input struct pbuf *  p,
struct netif *  inp
 

This function is used to process incomming IP packets.

This function is called by the physical network driver when a new packet has been received. To decide how to handle the packet, the Security Policy Database is called. ESP and AH packets are directly forwarded to ipsec_input() while other packets must pass the SPD lookup.

Parameters:
p pbuf containing the received packet
inp lwIP network interface data structure for this device. The structure must be initialized with IP, netmask and gateway address.
Returns:
err_t return code
Todo:
Attention: the pbuf structure should be updated using pbuf_header()

Definition at line 123 of file ipsecdev.c.

err_t ipsecdev_netlink_output struct netif *  netif,
struct pbuf *  p
 

This function is used to send a packet directly out of the network device.

The packet is directly sent as-is the network device output function. It is used to serve ARP traffic.

Parameters:
netif initialized lwIP network interface data structure of this device
p pbuf containing a complete IP packet as payload
Returns:
err_t status

Definition at line 378 of file ipsecdev.c.

err_t ipsecdev_output struct netif *  netif,
struct pbuf *  p,
struct ip_addr *  ipaddr
 

This function is used to send a packet out to the network device.

IPsec processing for outbound traffic is done here before forwarding the IP packet to the physical network device. The SPD is queried in order to know how the packet must be handled.

Parameters:
netif initialized lwIP network interface data structure of this device
p pbuf containing a complete IP packet as payload
ipaddr destination IP address
Returns:
err_t status
backup of physical destination IP address (inner IP header may become encrypted)

Todo:
this static access to the HW device must be replaced by a more flexible method

lwIP TCP ESP outbound processing needs to add data after the original packet. Since the lwIP TCP does leave any room after the original packet, we copy the packet into a larger buffer. This step can be avoided if enough room is left after the packet when TCP allocates memory.

Definition at line 243 of file ipsecdev.c.

void ipsecdev_service struct netif *  netif  ) 
 

This is just used to provide an consisstend interface. This function has no functionality.

Parameters:
netif initialized lwIP network interface data structure of this device
Returns:
void

Definition at line 100 of file ipsecdev.c.

Variable Documentation

db_set_netif* databases
 

reference to the SPD and SA configuration

Definition at line 88 of file ipsecdev.c.

db_set_netif db_sets[]
 

This structure holds sets of databases used by one network interface. Each successful call of ipsec_spd_load_dbs() will return a pointer to an entry of this structure array. One entry holds pointers to a inbound and outbound SPD and SAD table.

Definition at line 87 of file ipsecdev.c.

sad_entry inbound_sad_config[]
 

inbound SAD configuration data

Definition at line 82 of file ipsecdev.c.

spd_entry inbound_spd_config[]
 

inbound SPD configuration data

Definition at line 83 of file ipsecdev.c.

struct netif mapped_netif
 

handler of physical output device

Definition at line 89 of file ipsecdev.c.

sad_entry outbound_sad_config[]
 

outbound SAD configuration data

Definition at line 84 of file ipsecdev.c.

spd_entry outbound_spd_config[]
 

outbound SPD configuration data

Definition at line 85 of file ipsecdev.c.

__u32 tunnel_dst_addr
 

tunnel destination address (external address the other IPsec tunnel endpoint)

Definition at line 91 of file ipsecdev.c.

__u32 tunnel_src_addr
 

tunnel source address (external address this IPsec device)

Definition at line 90 of file ipsecdev.c.

Copyright 2003 by Christian Scheurer and Niklaus Schild