[people/ms/strongswan.git] / src / charon / doc / Architecture.txt

/** @mainpage

@section design strongSwans overall design

IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
completely handled in pluto, as it was all the times. IKEv2 is handled in the
new keying daemon, which is called #charon. 
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
Charon uses another socket interface, called stroke. Stroke uses another
format as whack and therefore is not compatible to whack. The starter utility,
wich does fast configuration parsing, speaks both the protocols, whack and
stroke. It also handles daemon startup and termination. 
Pluto uses starter for some commands, for other it uses the whack utility. To be
as close to pluto as possible, charon has the same split up of commands to
starter and stroke. All commands are wrapped together in the ipsec script, which
allows transparent control of both daemons.
@verbatim

         +-----------------------------------------+
         |                  ipsec                  |
         +-----+--------------+---------------+----+
               |              |               |
               |              |               |
               |        +-----+-----+         |
         +-----+----+   |           |   +-----+----+
         |          |   |  starter  |   |          |
         |  stroke  |   |           |   |   whack  |
         |          |   +---+--+----+   |          |
         +------+---+       |  |        +--+-------+
                |           |  |           |
            +---+------+    |  |    +------+--+
            |          |    |  |    |         |
            |  charon  +----+  +----+  pluto  |
            |          |            |         |
            +-----+----+            +----+----+
                  |                      |
            +-----+----+                 |
            |    LSF   |                 |
            +-----+----+                 |
                  |                      |
            +-----+----+            +----+----+
            | RAW Sock |            | UDP/500 |
            +----------+            +---------+

@endverbatim
Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
500. Under Linux, there is no clean way to set up two sockets at the same port.
To reslove this problem, charon uses a RAW socket, as they are used in network
sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
traffic. Pluto receives any IKE message, independant of charons behavior.
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.

To gain some reusability of the code, generic crypto and utility functions are 
separeted in a shared library, libstrongswan.

*/
Commit	Line	Data
fcfeb322 MW	1	/** @mainpage
	2
	3	@section design strongSwans overall design
86c5fe9d MW	4
	5	IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
	6	completely handled in pluto, as it was all the times. IKEv2 is handled in the
fcfeb322	7	new keying daemon, which is called #charon.
efadbf79 MW	8	Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
efadbf79 MW	9	Charon uses another socket interface, called stroke. Stroke uses another
86c5fe9d MW	10	format as whack and therefore is not compatible to whack. The starter utility,
	11	wich does fast configuration parsing, speaks both the protocols, whack and
	12	stroke. It also handles daemon startup and termination.
f2ee13a7	13	Pluto uses starter for some commands, for other it uses the whack utility. To be
86c5fe9d MW	14	as close to pluto as possible, charon has the same split up of commands to
	15	starter and stroke. All commands are wrapped together in the ipsec script, which
	16	allows transparent control of both daemons.
fcfeb322	17	@verbatim
86c5fe9d MW	18
86c5fe9d MW	19	+-----------------------------------------+
f2ee13a7	20	\| ipsec \|
86c5fe9d	21	+-----+--------------+---------------+----+
f2ee13a7 MW	22	\| \| \|
	23	\| \| \|
	24	\| +-----+-----+ \|
	25	+-----+----+ \| \| +-----+----+
	26	\| \| \| starter \| \| \|
	27	\| stroke \| \| \| \| whack \|
	28	\| \| +---+--+----+ \| \|
	29	+------+---+ \| \| +--+-------+
	30	\| \| \| \|
	31	+---+------+ \| \| +------+--+
	32	\| \| \| \| \| \|
	33	\| charon +----+ +----+ pluto \|
	34	\| \| \| \|
86c5fe9d	35	+-----+----+ +----+----+
f2ee13a7 MW	36	\| \|
	37	+-----+----+ \|
	38	\| LSF \| \|
	39	+-----+----+ \|
	40	\| \|
86c5fe9d	41	+-----+----+ +----+----+
f2ee13a7	42	\| RAW Sock \| \| UDP/500 \|
86c5fe9d MW	43	+----------+ +---------+
86c5fe9d MW	44
fcfeb322	45	@endverbatim
86c5fe9d MW	46	Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
	47	500. Under Linux, there is no clean way to set up two sockets at the same port.
	48	To reslove this problem, charon uses a RAW socket, as they are used in network
	49	sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
	50	traffic. Pluto receives any IKE message, independant of charons behavior.
	51	Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
	52
fcfeb322 MW	53	To gain some reusability of the code, generic crypto and utility functions are
fcfeb322 MW	54	separeted in a shared library, libstrongswan.
86c5fe9d	55
fcfeb322	56	*/