embedded IPsec source code documentation

Main Page | Alphabetical List | Data Structures | File List | Data Fields | Globals | Related Pages

ipsecdev.h File Reference

Detailed Description

Header of IPsec network adapter for lwIP.

Author:
Christian Scheurer <http://www.christianscheurer.ch>
This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.

Definition in file ipsecdev.h.

#include "lwip/netif.h"

Go to the source code of this file.

Data Structures

struct  ipsecdev_stats

Defines

#define IPSEC_HLEN   (PBUF_IP_HLEN + 24 + PBUF_TRANSPORT_HLEN)
#define IPSEC_MTU   (PBUF_POOL_BUFSIZE - PBUF_LINK_HLEN - IPSEC_HLEN)

Functions

void ipsecdev_service (struct netif *)
err_t ipsecdev_input (struct pbuf *, struct netif *)
err_t ipsecdev_output (struct netif *, struct pbuf *, struct ip_addr *)
err_t ipsecdev_netlink_output (struct netif *netif, struct pbuf *p)
err_t ipsecdev_init (struct netif *)
void ipsec_set_tunnel (char *src, char *dst)

Define Documentation

#define IPSEC_HLEN   (PBUF_IP_HLEN + 24 + PBUF_TRANSPORT_HLEN)
 

Add room for an other IP header and AH(24 bytes with HMAC-xxx-96)/ESP(8 bytes) data

Definition at line 56 of file ipsecdev.h.

#define IPSEC_MTU   (PBUF_POOL_BUFSIZE - PBUF_LINK_HLEN - IPSEC_HLEN)
 

maximum packet size which can be handled by ipsecdev

Definition at line 57 of file ipsecdev.h.

Function Documentation

void ipsec_set_tunnel char *  src,
char *  dst
 

Setter function for tunnel source and destination address

Parameters:
src source address as string (i.g. "192.168.1.3")
dst destination address as string (i.g. "192.168.1.5")
Returns:
void

Definition at line 481 of file ipsecdev.c.

err_t ipsecdev_init struct netif *  netif  ) 
 

Initialize the ipsec network device

This function must be called prior to any other operation with this device.

Parameters:
netif lwIP network interface data structure for this device. The structure must be initialized with IP, netmask and gateway address.
Returns:
err_t return code
Todo:
this should be somewhere else

selecting the right interface for mapping must be replaced by an more generic method

MAC addresses should be set somewhere else

Definition at line 402 of file ipsecdev.c.

err_t ipsecdev_input struct pbuf *  p,
struct netif *  inp
 

This function is used to process incomming IP packets.

This function is called by the physical network driver when a new packet has been received. To decide how to handle the packet, the Security Policy Database is called. ESP and AH packets are directly forwarded to ipsec_input() while other packets must pass the SPD lookup.

Parameters:
p pbuf containing the received packet
inp lwIP network interface data structure for this device. The structure must be initialized with IP, netmask and gateway address.
Returns:
err_t return code
Todo:
Attention: the pbuf structure should be updated using pbuf_header()

Definition at line 123 of file ipsecdev.c.

err_t ipsecdev_netlink_output struct netif *  netif,
struct pbuf *  p
 

This function is used to send a packet directly out of the network device.

The packet is directly sent as-is the network device output function. It is used to serve ARP traffic.

Parameters:
netif initialized lwIP network interface data structure of this device
p pbuf containing a complete IP packet as payload
Returns:
err_t status

Definition at line 378 of file ipsecdev.c.

err_t ipsecdev_output struct netif *  netif,
struct pbuf *  p,
struct ip_addr *  ipaddr
 

This function is used to send a packet out to the network device.

IPsec processing for outbound traffic is done here before forwarding the IP packet to the physical network device. The SPD is queried in order to know how the packet must be handled.

Parameters:
netif initialized lwIP network interface data structure of this device
p pbuf containing a complete IP packet as payload
ipaddr destination IP address
Returns:
err_t status
backup of physical destination IP address (inner IP header may become encrypted)

Todo:
this static access to the HW device must be replaced by a more flexible method

lwIP TCP ESP outbound processing needs to add data after the original packet. Since the lwIP TCP does leave any room after the original packet, we copy the packet into a larger buffer. This step can be avoided if enough room is left after the packet when TCP allocates memory.

Definition at line 243 of file ipsecdev.c.

void ipsecdev_service struct netif *  netif  ) 
 

This is just used to provide an consisstend interface. This function has no functionality.

Parameters:
netif initialized lwIP network interface data structure of this device
Returns:
void

Definition at line 100 of file ipsecdev.c.

Copyright 2003 by Christian Scheurer and Niklaus Schild