An XML based management protocol for strongSwan (SMP)¶
We are developing a flexible XML-based configuration interface. It uses the SMP protocol developed by Andreas Eigenmann and Joël Stillhart as part of their diploma thesis.
SMP is deprecated since 5.2.0 in favor of the Versatile IKE Control Interface (VICI).
Overview¶
The currently implemented communication interface to charon is called stroke. It's a simple protocol with it's own binary format. Only the input format is specified, output is redirected to the console.
While this protocol is usable for console applications (ipsec/starter), we need a better protocol to get feedback for an operation, query the status of the daemon, ...
Requirements¶
- Querying
- IKE_SA list
- Daemon status
- ...
- Control
- initiate connection
- terminate connection
- ...
- Get notifications
- client connected
- client connect attempt failed
- ...
Protocol¶
To get an universal usable and easy to implement protocol, SMP is based on a XML. We use Relax-NG schemas for validation, as they are more powerful than DTD, but simpler than XML schema.
Connectivity¶
SMP uses a reliable protocol. We implement the protocol over a Unix socket for the first try, TCP connections are targeted for a later release (see security).
Security¶
We do not implement any security (encryption/authentication) in the first iteration. We will operate on a Unix socket, we enforce security with file permissions. Further development iterations will support for remote administration (over TCP), and then we need authentication, encryption and integrity checks.
The proposed XML-Security like approach proposed in the diploma thesis suffers from replay attack detection. Futher, using the asymmetric approach for each message may be to expensive.
If we implement a more complex notification mechanism, we need to register anyway at connection setup. We could agree on encryption and compression algorithm and exchange a key in this registration process.
Message format¶
The root element of an exchanged element is the <message> element. A message has a type attribute of either request, response or notification. To protect messages against replay attacks, each message as an id attribute, which in unique and incremental for each request/response pair. Notifications use their own counter for for message ids, as they appear asynchronously.
Messages of type request and response contain one or more of the elements query and control.
Schema¶
The complete schema is available at source:src/libcharon/plugins/smp/schema.xml (draft).
Query Operations¶
- Query a list of IKE_SAs
- ...
The status of all IKE_SAs can be queried by sending a message of type request including a query