Re: linux-ipsec: applying different transforms per user

  Welcome to the fray! The features you wish to add are not simple and it's going to be some work to get them going, they really are somewhat on the research side of the fence. Still it would be great to get some folks working on this now as it will affect the future design of FreeS/WAN and Linux's networking code.

  First off don't even look at the 2.0.XX kernels, their networking is history (the bad part...). Over the next couple of months the FreeS/WAN project will be moving it's code base to 2.1.XX (and thereafter 2.2.XX).

  Next you need to read up on both IPSEC and IKE (formerly know as the protocol called ISAKMP/Oakley) as an IKE daemon (as in FreeS/WAN's Pluto) will have to set up the connection to the other machine for you. This the set of RFC's that define IPSEC and IKE, go look at the IPSEC Working Group Charter page that the FreeS/WAN web page (address at bottom of this post) points at.

  In our 2.x (under Linux 2.1.xx or 2.1.xx kernels) the KLIPS interface should (or will...) be made to do everything you need. I think the real work in what you want is passing the needed information on configuration and use though the TCP stack, out to the IKE daemon and then back into KLIPS (our IPSEC code in the Linux kernel).   There might be some rocket science needed here, I just don't know yet.

  I think the first place that needs work is that the user & user programs need a new access to the networking interface (sockets) that controls the lower layer encryption (says thinks like I want all my packet to the IRS encrypted with ROT-13 or what not).   From there we should be able to work the changes down to the IPSEC layer via a side trip to the IKE daemon.

  I doubt that ENskip is what your after, though looking at it might give you some good ideas (it was a lot simpler then IPSEC/IKE). Not many folks are planning on using SKIP in the future, everyone seems to have hopped on the IPSEC/IKE bandwagon.

  FYI no apologies for asking questions are needed, this is largly uncharted waters and we need suckers...er...volunteers(!) to help find our way out of the Creature Feature fog.

  This list and the IETF related ones (see our project web page) are the right places to discuss the various approaches to solving this problem.

		||ugh Daniel
		hugh@toad.com

			Systems Testing & Project mis-Management
			The Linux FreeS/WAN Project
			
http://www.xs4all.nl/~freeswan

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek