diff options
Diffstat (limited to 'src/charon/doc')
-rw-r--r-- | src/charon/doc/Architecture.txt | 56 | ||||
-rw-r--r-- | src/charon/doc/Known-bugs.txt | 6 | ||||
-rw-r--r-- | src/charon/doc/Todo-list.txt | 49 |
3 files changed, 111 insertions, 0 deletions
diff --git a/src/charon/doc/Architecture.txt b/src/charon/doc/Architecture.txt new file mode 100644 index 000000000..14b99274c --- /dev/null +++ b/src/charon/doc/Architecture.txt @@ -0,0 +1,56 @@ +/** @mainpage + +@section design strongSwans overall design + +IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is +completely handled in pluto, as it was all the times. IKEv2 is handled in the +new keying daemon, which is called #charon. +Daemon control is done over unix sockets. Pluto uses whack, as it did for years. +Charon uses another socket interface, called stroke. Stroke uses another +format as whack and therefore is not compatible to whack. The starter utility, +wich does fast configuration parsing, speaks both the protocols, whack and +stroke. It also handles daemon startup and termination. +Pluto uses starter for some commands, for other it uses the whack utility. To be +as close to pluto as possible, charon has the same split up of commands to +starter and stroke. All commands are wrapped together in the ipsec script, which +allows transparent control of both daemons. +@verbatim + + +-----------------------------------------+ + | ipsec | + +-----+--------------+---------------+----+ + | | | + | | | + | +-----+-----+ | + +-----+----+ | | +-----+----+ + | | | starter | | | + | stroke | | | | whack | + | | +---+--+----+ | | + +------+---+ | | +--+-------+ + | | | | + +---+------+ | | +------+--+ + | | | | | | + | charon +----+ +----+ pluto | + | | | | + +-----+----+ +----+----+ + | | + +-----+----+ | + | LSF | | + +-----+----+ | + | | + +-----+----+ +----+----+ + | RAW Sock | | UDP/500 | + +----------+ +---------+ + +@endverbatim +Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port +500. Under Linux, there is no clean way to set up two sockets at the same port. +To reslove this problem, charon uses a RAW socket, as they are used in network +sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2 +traffic. Pluto receives any IKE message, independant of charons behavior. +Therefore plutos behavior is changed to discard any IKEv2 traffic silently. + +To gain some reusability of the code, generic crypto and utility functions are +separeted in a shared library, libstrongswan. + +*/
\ No newline at end of file diff --git a/src/charon/doc/Known-bugs.txt b/src/charon/doc/Known-bugs.txt new file mode 100644 index 000000000..3f594ad79 --- /dev/null +++ b/src/charon/doc/Known-bugs.txt @@ -0,0 +1,6 @@ + Known bugs in charon +====================== + +- intiating the same connection twice makes trouble +- leak_detective gets confused from libpthread (invalid frees) +- installing to many SAs in the kernel at the same time causes troubles. Threading issue? diff --git a/src/charon/doc/Todo-list.txt b/src/charon/doc/Todo-list.txt new file mode 100644 index 000000000..11b30fb7d --- /dev/null +++ b/src/charon/doc/Todo-list.txt @@ -0,0 +1,49 @@ + Todo-List for charon +====================== + ++ = done, / = partial, - = todo, ordered by priority + + ++ private key loading: der, without passphrase ++ load all private keys from ipsec.d/private/ in stroke.c ++ handle leftcert and rightcert in starterstroke.c/stroke.c ++ load specified certs in stroke.c ++ extract public keys from certs ++ public key authentication ++ release for Andreas + ++ stroke loglevels ++ stroke up ++ ike_sa_manager checkout_by_hosts ++ stroke down ++ stroke output redirection ++ stroke status + ++ libx509 + + new charon build - libstrong? + + transforms + + utils (plus host) + + logger_manager instance in lib + + leak detective usable for charon and pluto and anything else + + integrate asn1 parser/oid (asn1/oid) + + integrate basic PEM loading + + port x509 stuff + ++ doxygen cleanup (charon/lib) + +/ useable certificate support + + more id types (use atodn from pluto) + + rewrite certificate storage the clean way + - further subjectAltName support + - certificate validation/chaining + - certificate exchange + +- implement 3DES to load encrypted pem files +- ipsec.secrets parsing + +- trapping +- delete notify, when to send? +- notifys on connection setup failure +- create child sa message/rekeying + +- new build environment (autotools?) |