[people/ms/strongswan.git] / src / charon / doc / Architecture.txt

/** @mainpage

@section design strongSwans overall design

IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
completely handled in pluto, as it was all the times. IKEv2 is handled in the
new keying daemon, which is called #charon. 
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
Charon uses another socket interface, called stroke. Stroke uses another
format as whack and therefore is not compatible to whack. The starter utility,
wich does fast configuration parsing, speaks both the protocols, whack and
stroke. It also handles daemon startup and termination. 
Pluto uses starter for some commands, for other it uses the whack utility. To be
as close to pluto as possible, charon has the same split up of commands to
starter and stroke. All commands are wrapped together in the ipsec script, which
allows transparent control of both daemons.
@verbatim

         +-----------------------------------------+
         |                  ipsec                  |
         +-----+--------------+---------------+----+
               |              |               |
               |              |               |
               |        +-----+-----+         |
         +-----+----+   |           |   +-----+----+
         |          |   |  starter  |   |          |
         |  stroke  |   |           |   |   whack  |
         |          |   +---+--+----+   |          |
         +------+---+       |  |        +--+-------+
                |           |  |           |
            +---+------+    |  |    +------+--+
            |          |    |  |    |         |
            |  charon  +----+  +----+  pluto  |
            |          |            |         |
            +-----+----+            +----+----+
                  |                      |
            +-----+----+                 |
            |    LSF   |                 |
            +-----+----+                 |
                  |                      |
            +-----+----+            +----+----+
            | RAW Sock |            | UDP/500 |
            +----------+            +---------+

@endverbatim
Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
500. Under Linux, there is no clean way to set up two sockets at the same port.
To reslove this problem, charon uses a RAW socket, as they are used in network
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
traffic. Pluto receives any IKE message, independant of charons behavior.
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.

To gain some reusability of the code, generic crypto and utility functions are 
separeted in a shared library, libstrongswan.

*/
Commit	Line	Data
	1	/** @mainpage
	2
	3	@section design strongSwans overall design
	4
	5	IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
	6	completely handled in pluto, as it was all the times. IKEv2 is handled in the
	7	new keying daemon, which is called #charon.
	8	Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
	9	Charon uses another socket interface, called stroke. Stroke uses another
	10	format as whack and therefore is not compatible to whack. The starter utility,
	11	wich does fast configuration parsing, speaks both the protocols, whack and
	12	stroke. It also handles daemon startup and termination.
	13	Pluto uses starter for some commands, for other it uses the whack utility. To be
	14	as close to pluto as possible, charon has the same split up of commands to
	15	starter and stroke. All commands are wrapped together in the ipsec script, which
	16	allows transparent control of both daemons.
	17	@verbatim
	18
	19	+-----------------------------------------+
	20	\| ipsec \|
	21	+-----+--------------+---------------+----+
	22	\| \| \|
	23	\| \| \|
	24	\| +-----+-----+ \|
	25	+-----+----+ \| \| +-----+----+
	26	\| \| \| starter \| \| \|
	27	\| stroke \| \| \| \| whack \|
	28	\| \| +---+--+----+ \| \|
	29	+------+---+ \| \| +--+-------+
	30	\| \| \| \|
	31	+---+------+ \| \| +------+--+
	32	\| \| \| \| \| \|
	33	\| charon +----+ +----+ pluto \|
	34	\| \| \| \|
	35	+-----+----+ +----+----+
	36	\| \|
	37	+-----+----+ \|
	38	\| LSF \| \|
	39	+-----+----+ \|
	40	\| \|
	41	+-----+----+ +----+----+
	42	\| RAW Sock \| \| UDP/500 \|
	43	+----------+ +---------+
	44
	45	@endverbatim
	46	Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
	47	500. Under Linux, there is no clean way to set up two sockets at the same port.
	48	To reslove this problem, charon uses a RAW socket, as they are used in network
	49	sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
	50	traffic. Pluto receives any IKE message, independant of charons behavior.
	51	Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
	52
	53	To gain some reusability of the code, generic crypto and utility functions are
	54	separeted in a shared library, libstrongswan.
	55
	56	*/