From owner-freebsd-net@FreeBSD.ORG  Fri Jul 27 06:44:27 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2CCB716A417
	for <freebsd-net@freebsd.org>; Fri, 27 Jul 2007 06:44:27 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from mrout1-b.corp.dcn.yahoo.com (mrout1-b.corp.dcn.yahoo.com
	[216.109.112.27])
	by mx1.freebsd.org (Postfix) with ESMTP id EAAB913C442
	for <freebsd-net@freebsd.org>; Fri, 27 Jul 2007 06:44:26 +0000 (UTC)
	(envelope-from gnn@neville-neil.com)
Received: from unknown-10-101-133-146.yahoo.com.neville-neil.com
	(proxy8.corp.yahoo.com [216.145.48.13])
	by mrout1-b.corp.dcn.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id
	l6R6XiR0034677; Thu, 26 Jul 2007 23:33:45 -0700 (PDT)
Date: Fri, 27 Jul 2007 15:32:55 +0900
Message-ID: <m2zm1i1hm0.wl%gnn@neville-neil.com>
From: "George V. Neville-Neil" <gnn@neville-neil.com>
To: blue <susan.lan@zyxel.com.tw>
In-Reply-To: <46A7E70E.70204@zyxel.com.tw>
References: <994cd1cf0707251039j7eaf167fh5851fc979ee2b60@mail.gmail.com>
	<46A7E70E.70204@zyxel.com.tw>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1
	(i386-apple-darwin8.9.1) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: freebsd-net@freebsd.org, aditya kiran <adityaa.kiran@gmail.com>
Subject: Re: Ipsec - PF_KEY and set_policy
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2007 06:44:27 -0000

At Thu, 26 Jul 2007 08:13:02 +0800,
blue wrote:
> 
> As far as I know, setkey is used for IPsec SP and SA configuration. 
> ipsec_set_policy() could transfer a string to "policy request", which is 
> defined in RFC 2367 PF_KEY. Internally, setkey() will call 
> ipsec_set_policy() to construct the message then send it down to the 
> kernel. However, ipsec_set_policy() is used only for SP, not SA.
> 
And expanding on this just a bit, there is a difference between a
policy (SP) and an association (SA) which is important to understand.
A policy describes something more general, such as "Between network A
and network B use an IPSEC ESP tunnel for all traffic." while an
association is an active communication channel like, "Between address
A and address B we have a tunnel using ESP with key X."  There are two
databases in the kernel for this, a Security Policy Database which is
manipulated using the ipsec_set_policy() routing, and a Security
Association Database which is manipulated using direct calls to PF Key
sockets.

See RFC 2401 for a good intro to these concepts.

Best,
George