Implementing IPsec

The IP Security protocols are sufficiently mature to benefit from multiple independent implementations and worldwide deployment. Towards that goal, we implemented the protocols for the BSD/OS, Linux, OpenBSD and NetBSD(1) While some differences in the implementations exist due to the differences in underlying operating system structures, the design philosophy is common. A radix tree, namely the one used by the BSD code for routing purposes, is used to implement the policy engine; a transform table switch is used to make addition of security transformations an easy process; a lightweight kernel-user communication mechanism is used to pass key material and other configuration information from user space to kernel space, and to report asynchronous events such as requests for new keys from kernel space to a user-level keying daemon; and two distinct ways of intercepting outgoing packets and applying the IPsec transformations to them are employed. In this paper, the techniques used in our implementations are explained, differences in approaches are analysed, and hints are given to potential future implementers of new transforms.