Project

General

Profile

Actions

Feature #5480

open

Linux kernel IPsec plugin for doubango

Added by laforge almost 2 years ago. Updated almost 2 years ago.

Status:
In Progress
Priority:
High
Assignee:
Target version:
-
Start date:
03/07/2022
Due date:
% Done:

90%


Description

This task is about creating an IPsec plugin for the doubango library, allowing doubango to control IPsec policies and security associations in the kernel IPsec stack.

Doubango already has a related plugin architecture and a sample plugin for Windows 10

Actions #1

Updated by domi almost 2 years ago

Naturally doing this shall be straight forward for anybody knowledgeable about netlink, maybe even the strongswan plugin kernel-netlink could be somehow used. I am not yet experienced in netlink :)

However I would like to raise an issue that is I think important to be discussed: in case of VoLTE we are OK, since we only need a single tunnel created once connectivity is established with the ims APN. However in case of VoWiFi two tunnels must be created, and the inner address of the first tunnel must be the outer address of the second tunnel. When I asked about this on the strongswan IRC channel I got the response that this might be hard to realise because of how the kernel treats IPsec policies, hence I was recommended to use network namespaces, meaning the first tunnel would live in the default network namespace and the policies for the second tunnel would get installed inside of a dedicated namespace, keeping the policies properly isolated. I tried this approach manually and it worked fine for a quick test-run.
Though I am still unsure if this is indeed necessary, but last time I tried the other way I did have troubles installing two policies, one depending on the other. It might be my lack of Googling on the topic, but I thought it is good to keep this in mind when creating plugins for IPsec handling.

Actions #2

Updated by laforge almost 2 years ago

Hi domi,

On Mon, Mar 07, 2022 at 09:30:12PM +0000, domi wrote:

Naturally doing this shall be straight forward for anybody knowledgeable about netlink, maybe even the strongswan plugin kernel-netlink could be somehow used. I am not yet experienced in netlink :)

I've already written the doubango code, see
https://gitea.osmocom.org/ims-volte-vowifi/doubango/src/branch/laforge/wip/plugins/ipsec_linux and it is working. It implements the kernel netlink xfrm calls using libmnl and plugs as ipsec provider into doubango. That part is working already in early tests.

However I would like to raise an issue that is I think important to be discussed: in case of VoLTE we are OK, since we only need a single tunnel created once connectivity is established with the ims APN.

ACK.

However in case of VoWiFi two tunnels must be created, and the inner address of the first tunnel must be the outer address of the second tunnel. When I asked about this on the strongswan IRC channel I got the response that this might be hard to realise because of how the kernel treats IPsec policies, hence I was recommended to use network namespaces, meaning the first tunnel would live in the default network namespace and the policies for the second tunnel would get installed inside of a dedicated namespace, keeping the policies properly isolated. I tried this approach manually and it worked fine for a quick test-run.

Yes, this is what I've described in #5484 and will be tracking there. This particular issue is really only about the 'inner' IPsec with doubango.

Actions #3

Updated by laforge almost 2 years ago

  • Priority changed from Urgent to High
  • % Done changed from 70 to 90

The acutal implementation has been done in https://gitea.osmocom.org/ims-volte-vowifi/doubango/commit/557b37ec913754b342f46eb18fd528d5d66138bf and with the various other patches/hacks in the laforge/wip branch of https://gitea.osmocom.org/ims-volte-vowifi/doubango I was able to fully establish the IPsec and perform a SIP REGISTER to my Kamailo based IMS core.

I'm sure we will find bugs later on, but I think this is working at leat at the proof-of-concept level.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)