Date: Fri, 27 Jul 2007 15:32:55 +0900 From: "George V. Neville-Neil" <gnn@neville-neil.com> To: blue <susan.lan@zyxel.com.tw> Cc: freebsd-net@freebsd.org, aditya kiran <adityaa.kiran@gmail.com> Subject: Re: Ipsec - PF_KEY and set_policy Message-ID: <m2zm1i1hm0.wl%gnn@neville-neil.com> In-Reply-To: <46A7E70E.70204@zyxel.com.tw> References: <994cd1cf0707251039j7eaf167fh5851fc979ee2b60@mail.gmail.com> <46A7E70E.70204@zyxel.com.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
At Thu, 26 Jul 2007 08:13:02 +0800, blue wrote: > > As far as I know, setkey is used for IPsec SP and SA configuration. > ipsec_set_policy() could transfer a string to "policy request", which is > defined in RFC 2367 PF_KEY. Internally, setkey() will call > ipsec_set_policy() to construct the message then send it down to the > kernel. However, ipsec_set_policy() is used only for SP, not SA. > And expanding on this just a bit, there is a difference between a policy (SP) and an association (SA) which is important to understand. A policy describes something more general, such as "Between network A and network B use an IPSEC ESP tunnel for all traffic." while an association is an active communication channel like, "Between address A and address B we have a tunnel using ESP with key X." There are two databases in the kernel for this, a Security Policy Database which is manipulated using the ipsec_set_policy() routing, and a Security Association Database which is manipulated using direct calls to PF Key sockets. See RFC 2401 for a good intro to these concepts. Best, George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2zm1i1hm0.wl%gnn>