Provisioning
Provisioning entails setting up security policies and optionally adding manual keying between a device and peer.
Security Policies
TrustCore SDK NanoSec IPsec uses security policies to implement packet filtering, which determines whether to forward or discard a packet. By defining multiple security policies, different levels of security can be specified for traffic between different sources and destinations. For example, AES encryption can be specified for traffic between peers A and B, and Blowfish between peers A and C.
IPsec policies are stored in the Security Policy Database (SPD) and SADB (Security Association Database), both of which are maintained in memory as part of the IPsec engine. Each policy (SPD entry) defines the traffic to be protected, how to protect it, and with whom the protection is shared.
An application should set up mirrored inbound and outbound policies for all peer-to-peer communication paths.
Manually Adding Policies
To manually add policies from within an application’s code, place the following call after the call to IPSEC_init:
IPSEC_confAdd
Add rules for the security policy database (SPD).
Scripting Policies
An easier alternative to manually adding policies is to use the TrustCore SDK NanoSec policy scripting feature. Create a text file containing the desired policies, and then add the following call after the call IPSEC_init:
IPSEC_ParseScript
Read a security policy configuration script and configure corresponding IPsec policies.
Changing Policies
Whenever a user makes a configuration change, the following calls should be made:
IPSEC_confDelete
Delete a rule from the SPD.IPSEC_confFlush
Flush all rules from the SPD.
Manual Keys
TrustCore SDK NanoSec provides manual keying as mandated by the IPsec RFC. Although manual keying is more cumbersome and potentially less secure than IKE automatic keying, it is nevertheless useful in a variety of situations, such as:
During application development and debugging.
When CPU resources are at a premium.
When integrating with operating systems that lack IKE support, such as Solaris 8.
When the IP address of a peer or device is unknown.
If using manual keys for provisioning, an application should make appropriate calls to IPSEC key functions.
The following call should typically be placed after the call to IPSEC_init:
IPSEC_keyAdd
Add manual keying (SA) between device and a peer.
In addition, the following calls should be made whenever a user makes a configuration change:
IPSEC_keyDelete
Delete a specified manual key.IPSEC_keyFlush
Flush all manual keys from the system.