Building and integrating NanoSec
4 minute read
Before beginning integration activities, get familiarized with the NanoSec code base by reviewing the topics in this section.
Supported algorithms
The table below lists the supported algorithms for both IKEv1 and IKEv2 SA negotiations.
| Algorithm | IKE v1 initiator | IKE v1 Responder | IKE v2 Initiator | IKE v2 Responder |
|---|---|---|---|---|
| DH Group 1 | ✔ | ✔ | ✔ | ✔ |
| DH Group 2 | ✔ | ✔ | ✔ | ✔ |
| DH Group 5 | ✔ | ✔ | ✔ | ✔ |
| DH Group 14 | ✔ | ✔ | ✔ | ✔ |
| DH Group 15 | ✔ | ✔ | ✔ | ✔ |
| DH Group 16 | ✔ | ✔ | ✔ | ✔ |
| DH Group 17 | ✔ | ✔ | ✔ | ✔ |
| DH Group 18 | ✔ | ✔ | ✔ | ✔ |
| DH Group 19 | ✔ | ✔ | ✔ | ✔ |
| DH Group 20 | ✔ | ✔ | ✔ | ✔ |
| DH Group 21 | ✔ | ✔ | ✔ | ✔ |
| DH Group 24 | ✔ | ✔ | ||
| DH Group 25 | ✔ | ✔ | ||
| DH Group 26 | ✔ | ✔ | ||
| DH Group 31 | ✔ | ✔ | ||
| DH Group 32 | ✔ | ✔ | ||
| P256 NTRU HPS 2048 509 | ✔ | ✔ | ✔ | ✔ |
| P384 Saber | ✔ | ✔ | ✔ | ✔ |
| P384 NTRU HPS 2048 677 | ✔ | ✔ | ✔ | ✔ |
| P384 NTRU HRSS 701 | ✔ | ✔ | ✔ | ✔ |
| P521 NTRU HPS 821 | ✔ | ✔ | ✔ | ✔ |
| RSA Signature | ✔ | ✔ | ✔ | ✔ |
| ECDSA P256 Signature | ✔ | ✔ | ✔ | ✔ |
| ECDSA P384 Signature | ✔ | ✔ | ✔ | ✔ |
| ECDSA P521 Signature | ✔ | ✔ | ✔ | ✔ |
| ED25519 Signature | ✔ | ✔ | ✔ | ✔ |
| ED448 Signature | ✔ | ✔ | ✔ | ✔ |
Figure 10: Packet flow using IPsec within typical IP stack
APIs
NanoSec is implemented by the following ANSI-C APIs:
- Common code base: Functions common to all TrustCore SDK components; defined in src/common/mocana.h.
- Certificate management: Functions for authentication; defined in src/crypto/ca_mgmt.h.
- IPsec: Functions to configure the NanoSec stack and perform IPsec processing; defined in ipsec.h, ipsecconf.h, and ipseckey.h (all in the directory directory).
- IKE: Functions to configure the NanoSec stack using automatic keys; defined in src/ike/ike.h.
- IKEv2: Functions to configure the NanoSec stack using IKE version 2 protocol; defined in src/ike/ike.h, and implemented in src/ike2/ike2.c.
- Internal data types may be customized in moptions.h by defining the
__ENABLE_MOCANA_BASIC_TYPES_OVERRIDE__flag.
Compilation flags
If an optional flag is applicable to both NanoSec IPsec and IKE, the flag must have the same status (defined or not) for both product builds. (For a complete list of compilation flags and their descriptions, refer to the NanoSec API Reference.)
The table below lists the NanoSec compilation flags. Note that some flags are required only for particular operating systems.
| Flag | IPsec | IKE |
|---|---|---|
__ENABLE_MOCANA_IPSEC_SERVICE__ | ✔ | |
__ENABLE_MOCANA_IKE_SERVER__ (Required for IPsec, also if automatic keying is required) | ✔ | ✔ |
__ENABLE_MOCANA_MEM_PART__ (Linux only) | ✔ | ✔ |
__DISABLE_MOCANA_FILE_SYSTEM_HELPER__ (For OSes with separate kernel and user spaces, such as Linux and Windows XP) | ✔ | |
__DISABLE_MOCANA_RAND_ENTROPY_THREADS__ (For OSes with separate kernel and user spaces, such as Linux and Windows XP) | ✔ | |
__ENABLE_MOCANA_CERTIFICATE_SEARCH_SUPPORT__ | ✔ | |
__ENABLE_IPSEC_NAT_T__ | ✔ | ✔ |
__ENABLE_IPSEC_COOKIE__ † | ✔ | ✔ |
__ENABLE_IPSEC_ESN__ | ✔ | ✔ |
__ENABLE_IPSEC_FLOW__ | ✔ | |
__ENABLE_IPSEC_FRAGMENTATION__ † | ✔ | |
__ENABLE_IPSEC_NULL_TUNNEL__ † | ✔ | |
__ENABLE_IPSEC_PORT_RANGE__ | ✔ | ✔ |
__DISABLE_IPSEC_TUNNEL_MODE__ † | ✔ | ✔ |
__ENABLE_IKE_AGGRESSIVE_MODE__ | ✔ | |
__ENABLE_IKE_CP__ | ✔ | |
__ENABLE_IKE_FRAGMENTATION__ | ✔ | |
__ENABLE_IKE_MODE_CFG__ | ✔ | |
__ENABLE_IKE_OCSP_EXT__ | ✔ | |
__ENABLE_IKE_REDIRECT__ | ✔ | |
__ENABLE_IKE_SIG_AUTH_RFC7427__ | ✔ | |
__ENABLE_IKE_XAUTH__ | ✔ | |
__ENABLE_MOCANA_EXAMPLES__ | ✔ | ✔ |
__ENABLE_MOCANA_IKE_UNSECURE_HASH__ | ✔ | |
__ENABLE_MOCANA_IPV6__ | ✔ | ✔ |
__ENABLE_MOCANA_OCSP_CLIENT__ | ✔ | |
__IKE_MULTI_HOMING__ | ✔ | ✔ |
__IKE_MULTI_THREADED__ | ✔ | |
CUSTOM_IKE_GET_EAP_PROTO † | ✔ | |
CUSTOM_IKE_GET_ID † | ✔ | |
CUSTOM_IKE_GET_PSK † | ✔ | |
CUSTOM_IKE_USE_CERT † | ✔ | |
IKE_CERT_CACHE_MAX † | ✔ | |
IKE_CERT_CHAIN_MAX † | ✔ | |
IKE_EVENT_MAX † | ✔ | |
IKE_IPSECSA_MAX † | ✔ | |
IKE_NONCE_SIZE | ✔ | |
IKE_P2_SA_MAX † | ✔ | |
IKE_SA_MAX † | ✔ | |
IPSEC_DGRAM_MAX † | ✔ | |
IPSEC_DGRAM_SIZE_MAX † | ✔ | |
IPSEC_NEST_MAX † | ✔ | |
IPSEC_PACKETS_MAX † | ✔ | |
IPSEC_REPLAY_SIZE † | ✔ | |
IPSEC_SADB_MAX † | ✔ | |
IPSEC_SPD_MAX † | ✔ | |
MOC_BIG_ENDIAN ‡ | ✔ | ✔ |
MOC_LITTLE_ENDIAN ‡ | ✔ | ✔ |
TIMEOUT_IPSEC_REASSEMBLY † | ✔ |
- § - Required.
- † - Typically no need to define or redefine.
- ‡ - Do not define more than one MOC_*_ENDIAN flag.
Figure 11: Packet flow using IPsec below a binary IP stack
Building NanoSec sample code
To help with integration of NanoSec into devices, a suite of sample code is included in the source distribution (in the src/examples directory). The sample code should be used as a reference and modified as required for inclusion into an application’s source code:
ca_mgmt_example.cShows how to perform authentication with certificates by using the TrustCore SDK certificate management functions.ike_example.cShows how to integrate IKE server into devices for any supported operating system.- Although not a server in the traditional client-server sense, the IKE server plays a control role in setting up the IPsec peer-to-peer communication.
ipsec_example.cShows how to integrate IPsec services into devices, including setting policies and configuring SAs (security associations) via manual keying.ipseckey_example.cShows how to integrate IKE server with the IPsec stack for Windows-based devices. This code can be used as a model for any operating system that has separate user and kernel space applications, where IPsec and IKE must run in separate contexts (IPsec in the kernel context, and IKE in the user context).- Embedded real time operating systems typically do not separate the user and kernel space. For such systems, NanoSec IPsec and NanoSec IKE can run in the same context.
mocana_example.cShows how to initialize TrustCore SDK code.
A sample version of NanoSec IPsec has also been provided to quickly build and demonstrate features of NanoSec.
To generate the NanoSec IPsec quick build, run the following command:
./scripts/nanosec/build_target_ncrypto.sh ike
Was this page helpful?
Provide feedback