aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/doc
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/doc')
-rw-r--r--src/charon/doc/Architecture.txt56
-rw-r--r--src/charon/doc/Known-bugs.txt6
-rw-r--r--src/charon/doc/Todo-list.txt49
3 files changed, 111 insertions, 0 deletions
diff --git a/src/charon/doc/Architecture.txt b/src/charon/doc/Architecture.txt
new file mode 100644
index 000000000..14b99274c
--- /dev/null
+++ b/src/charon/doc/Architecture.txt
@@ -0,0 +1,56 @@
+/** @mainpage
+
+@section design strongSwans overall design
+
+IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
+completely handled in pluto, as it was all the times. IKEv2 is handled in the
+new keying daemon, which is called #charon.
+Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
+Charon uses another socket interface, called stroke. Stroke uses another
+format as whack and therefore is not compatible to whack. The starter utility,
+wich does fast configuration parsing, speaks both the protocols, whack and
+stroke. It also handles daemon startup and termination.
+Pluto uses starter for some commands, for other it uses the whack utility. To be
+as close to pluto as possible, charon has the same split up of commands to
+starter and stroke. All commands are wrapped together in the ipsec script, which
+allows transparent control of both daemons.
+@verbatim
+
+ +-----------------------------------------+
+ | ipsec |
+ +-----+--------------+---------------+----+
+ | | |
+ | | |
+ | +-----+-----+ |
+ +-----+----+ | | +-----+----+
+ | | | starter | | |
+ | stroke | | | | whack |
+ | | +---+--+----+ | |
+ +------+---+ | | +--+-------+
+ | | | |
+ +---+------+ | | +------+--+
+ | | | | | |
+ | charon +----+ +----+ pluto |
+ | | | |
+ +-----+----+ +----+----+
+ | |
+ +-----+----+ |
+ | LSF | |
+ +-----+----+ |
+ | |
+ +-----+----+ +----+----+
+ | RAW Sock | | UDP/500 |
+ +----------+ +---------+
+
+@endverbatim
+Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
+500. Under Linux, there is no clean way to set up two sockets at the same port.
+To reslove this problem, charon uses a RAW socket, as they are used in network
+sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
+traffic. Pluto receives any IKE message, independant of charons behavior.
+Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
+
+To gain some reusability of the code, generic crypto and utility functions are
+separeted in a shared library, libstrongswan.
+
+*/ \ No newline at end of file
diff --git a/src/charon/doc/Known-bugs.txt b/src/charon/doc/Known-bugs.txt
new file mode 100644
index 000000000..3f594ad79
--- /dev/null
+++ b/src/charon/doc/Known-bugs.txt
@@ -0,0 +1,6 @@
+ Known bugs in charon
+======================
+
+- intiating the same connection twice makes trouble
+- leak_detective gets confused from libpthread (invalid frees)
+- installing to many SAs in the kernel at the same time causes troubles. Threading issue?
diff --git a/src/charon/doc/Todo-list.txt b/src/charon/doc/Todo-list.txt
new file mode 100644
index 000000000..11b30fb7d
--- /dev/null
+++ b/src/charon/doc/Todo-list.txt
@@ -0,0 +1,49 @@
+ Todo-List for charon
+======================
+
++ = done, / = partial, - = todo, ordered by priority
+
+
++ private key loading: der, without passphrase
++ load all private keys from ipsec.d/private/ in stroke.c
++ handle leftcert and rightcert in starterstroke.c/stroke.c
++ load specified certs in stroke.c
++ extract public keys from certs
++ public key authentication
++ release for Andreas
+
++ stroke loglevels
++ stroke up
++ ike_sa_manager checkout_by_hosts
++ stroke down
++ stroke output redirection
++ stroke status
+
++ libx509
+ + new charon build - libstrong?
+ + transforms
+ + utils (plus host)
+ + logger_manager instance in lib
+ + leak detective usable for charon and pluto and anything else
+ + integrate asn1 parser/oid (asn1/oid)
+ + integrate basic PEM loading
+ + port x509 stuff
+
++ doxygen cleanup (charon/lib)
+
+/ useable certificate support
+ + more id types (use atodn from pluto)
+ + rewrite certificate storage the clean way
+ - further subjectAltName support
+ - certificate validation/chaining
+ - certificate exchange
+
+- implement 3DES to load encrypted pem files
+- ipsec.secrets parsing
+
+- trapping
+- delete notify, when to send?
+- notifys on connection setup failure
+- create child sa message/rekeying
+
+- new build environment (autotools?)