Linux XFRM Intro

Jyothi
3 min readJun 5, 2020

--

There is lot to know about Linux, Linux kernel and other stuff. Coming to IPSec implementation in Linux. There are many applications or tools supporting IPSec functionality like setkey, ip xfrm , strongswan, netkey , some other custom applications, etc. These tools or applications are used to create IPSec credentials such as IPSec security associations(SAs) and IPSec Security Policy databases (SPD).

Linux XFRM subsystem is an underlying framework used to implement IPSec packet path functionality in Linux kernel. The above mentioned applications or tools communicate with Linux XFRM subsystem to push IPSEC credentials in Linux kernel, which are used for encryption and decryption of network traffic.

Linux XFRM is a complex framework where it involves communication with many modules. It listens on netlink messages sent by applications, once its successful in programming SA and policy in Linux XFRM subsystem, it also broadcasts XFRM netlink messages, so that if any other module or application wants to know about SA and policy info, it can listen on XFRM policies and SA information.

Linux XFRM subsystem should be able to process or apply multiple IPSEC protocols such as ESP , AH and IP compression. ESP and AH protocols involve cryptography operations. Linux XFRM subsystem is programmed to communicate with cryptography modules for cryptography operations.

Linux XFRM code organization:

In net/xfrm directory:

Linux xfrm subsystem also has code specific to IPv4 and IPv6 in respective net/ipv4 and net/ipv6 directories:

Packet path :

Linux XFRM subsystem has to handle encapsulated IPSec packet and plain IP packets.

When an encapsulated IPSec packet is received , it should be able to decrypt the packet only if there is an SA programmed corresponding to the received packet. Following diagram shows the functionality for encapsulated packet:

When Linux kernel before transmission of plain packet, it needs to check if packet should be IPSEC encapsulated and transmitted. Linux XFRM maintains XFRM policies to check if packet to be encrypted and sent out. Following diagram shows the functionality of IPSec encapsulation packet path:

There is lot more to learn on Linux XFRM subsystem. Wait for other posts :).

References:

https://programmer.ink/think/xfrm-a-kernel-implementation-framework-of-ipsec-protocol.html

--

--