Skip to main content

User-mode IPsec

This section outlines the setup and management of IPsec in user mode, including source files, build instructions, and execution steps.

Source

For user-mode IPsec, under mss/src/examples:

  • ipsec/linux/missiu/*

  • ipsec_loadconfig/loadConfig_missiu.c

  • ipseckey_example_missiu.c

Build

To build IPsec user mode:

  • Modify pre-defined compile flags in make/Makefile.linux.ipsec as needed

    make -f make/Makefile.linux.ipsec missiu
    

Note: Executables missiu, ike and loadConfig are generated under ./bin folder.

Run

To run IPsec user mode:

  1. Start missiu to intercept packets in the data path:

    cd bin
    ./missiu -i <interface> [-l <log_file>] startRaw
    # packets are intercepted on the <interface> and the <log_file> is created in the /var/run/ folder.
    
  2. New TAP device (e.g., tap0), is allocated, but may need to be brought up manually:

    ip link set dev tap0 up
    
  3. Start IKE

    ./ike [-h] <local_ip_addr> &
    
  4. Configure

    ./loadConfig -f <config_file>
    
  5. Add a route to redirect outbound traffic to the TAP device.

    • For example, if the <config_file> contains:

      { raddr 192.168.3.119 ulp icmp } ipsec { encr_algs aes encr_auth_algs sha1 }
      
    • Add a the following route:

      route add -host 192.168.3.119 dev tap0
      

Stop

To stop the process:

  1. Stop ike process:

    killall ike
    
  2. Stop missiu from intercepting packets:

    ./missiu -i <interface> stop
    

Additional information

In NanoSec, IKE to IPsec communications may be performed using the following:

  • IOCTL (e.g. I/O Request Packet (IRP) to driver)

  • PF_KEY (socket based)

  • Direct APIs provided by IPsec

In the data path, packets may be processed as follows:

  • User space service may use shared memory and IOCTL based events to receive/transit packets from a network driver (e.g. NDIS intermediate driver).

  • User space process (in the forwarding plane) may call IPSEC_apply for outbound packets, IPSEC_permit for inbound packets. In addition, IPSEC_fragRcv() reassembles fragmented packets.

missiu TAP diagram

The following diagram shows the missiu TAP interactions between user space and kernel space.

Figure 1. missiu TAP interactions
missiu TAP interactions