Ipsec - PF_KEY and set_policy
George V. Neville-Neil
gnn at neville-neil.com
Fri Jul 27 06:44:27 UTC 2007
At Thu, 26 Jul 2007 08:13:02 +0800,
blue wrote:
>
> As far as I know, setkey is used for IPsec SP and SA configuration.
> ipsec_set_policy() could transfer a string to "policy request", which is
> defined in RFC 2367 PF_KEY. Internally, setkey() will call
> ipsec_set_policy() to construct the message then send it down to the
> kernel. However, ipsec_set_policy() is used only for SP, not SA.
>
And expanding on this just a bit, there is a difference between a
policy (SP) and an association (SA) which is important to understand.
A policy describes something more general, such as "Between network A
and network B use an IPSEC ESP tunnel for all traffic." while an
association is an active communication channel like, "Between address
A and address B we have a tunnel using ESP with key X." There are two
databases in the kernel for this, a Security Policy Database which is
manipulated using the ipsec_set_policy() routing, and a Security
Association Database which is manipulated using direct calls to PF Key
sockets.
See RFC 2401 for a good intro to these concepts.
Best,
George
More information about the freebsd-net
mailing list