andreas steffen, 23.04.2015 cisco-1.pptx 1 strongswan training for cisco session 1 processes &...

22
Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen [email protected]

Upload: reginald-mccoy

Post on 13-Jan-2016

229 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 1

strongSwan Training for Cisco

Session 1

Processes & Tasks

Prof. Dr. Andreas Steffen

[email protected]

Page 2: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 2

Agenda Session 1 Processes & Tasks

• Job Priority Management• Preventing thread starvation

• Event Scheduler• Binary heap architecture

• IKE Message Tasks• Building and processing initiator or responder IKE messages

• IKE_SA Retrieval• Efficient access using hashtables

Page 3: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 3

strongSwan Training for Cisco – Session 1

Job Priority Management

Page 4: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 4

Job Priorities

CRITICALCRITICAL

HIGHHIGH

MEDIUMMEDIUM

LOWLOW

Long-running dispatcher jobs, e.g. socketsLong-running dispatcher jobs, e.g. sockets

INFORMATIONAL exchanges, e.g. for DPDINFORMATIONAL exchanges, e.g. for DPD

Everything not HIGH/LOW, e.g. IKE_SA_INIT processingEverything not HIGH/LOW, e.g. IKE_SA_INIT processing

IKE_AUTH processing. RADIUS/CRL fetching might block IKE_AUTH processing. RADIUS/CRL fetching might block

Source: libstrongswan/processing/jobs/job.h

Page 5: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 5

Jobs with Priority CRITICAL

• Receive/Send IKE Messages, Event Scheduler, Network Events• libcharon/network/receiver.c• libcharon/network/sender.c• libstrongswan/processing/scheduler.c• libstrongswan/processing/watcher.c

• Configuration & Management Socket Interface• libcharon/plugins/stroke/stroke_socket.c• libcharon/plugins/vici/vici_socket.c

• High Availability Plugin• libcharon/plugins/ha/ha_cache.c | ha_ctl.c | ha_dispatcher.c

| ha_segments.c

• EAP Radius Plugin• libcharon/plugins/eap_radius/eap_radius_accounting.c • libcharon/plugins/eap_radius/eap_radius_plugin.c

• PKCS#11 Smartcard Plugin• libstrongswan/plugins/pkcs11/pkcs11_manager.c

Page 6: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 6

Jobs with Priority HIGH

• IKE Job Processing• libcharon/processing/jobs/adopt_children_job.c• libcharon/processing/jobs/dpd_timeout_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/retransmit_job.c• libcharon/processing/jobs/retry_initiate_job.c• libcharon/processing/jobs/send_dpd_job.c• libcharon/processing/jobs/send_keepalive_job.c

• High Availability Plugin• libcharon/plugins/ha/ha_socket.c

Page 7: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 7

Jobs with Priority MEDIUM

• IKE Job Processing• libcharon/processing/jobs/acquire_job.c• libcharon/processing/jobs/delete_child_sa_job.c• libcharon/processing/jobs/delete_ike_sa_job.c• libcharon/processing/jobs/inactivity_job.c• libcharon/processing/jobs/initiate_mediation_job.c• libcharon/processing/jobs/initiate_tasks_job.c• libcharon/processing/jobs/mediation_job.c• libcharon/processing/jobs/migrate_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/rekey_child_sa_job.c• libcharon/processing/jobs/rekey_ike_sa_job.c• libcharon/processing/jobs/roam_job.c• libcharon/processing/jobs/start_action_job.c• libcharon/processing/jobs/update_sa_job.c

Page 8: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 8

Jobs with Priority LOW

• IKE Job Processing• libcharon/processing/jobs/process_message_job.c

Page 9: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 9

IKEv2 Message Processing Priorization

METHOD(job_t, get_priority, job_priority_t, private_process_message_job_t *this){ switch (this->message->get_exchange_type(this->message)) { case IKE_AUTH: /* IKE_AUTH is rather expensive and often blocking, * low priority */ return JOB_PRIO_LOW; case INFORMATIONAL: /* INFORMATIONALs are inexpensive, for DPD we should * have low reaction times */ return JOB_PRIO_HIGH; case IKE_SA_INIT: case CREATE_CHILD_SA: default: /* IKE_SA_INIT is expensive, but we will drop them in the * receiver if we are overloaded */ return JOB_PRIO_MEDIUM; }} Source: libcharon/processing/jobs/process_message_job.c

Page 10: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 10

Thread and Job Priority Configuration

# strongswan.conf

charon { threads = 32}

libstrongswan { processor { priority_threads { high = 1 medium = 4 } }}

ipsec statusall

worker threads: 2 of 32 idle, 5/1/2/22 working, job queue: 0/0/1/149, scheduled: 198

Page 11: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 11

strongSwan Training for Cisco – Session 1

Event Scheduler

Page 12: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 12

Event Scheduler

• Binary Heap• Binary tree organized as a min-heap with the event time as

key.• Heap starts with an array of 64 entries and array size

doubles each time the heap runs out of entries• Implemented by src/libstrongswan/processing/scheduler.c

1

3 2

7361917

8025

1

54 6

2 3

7

8 9 10 11 12 13 14 15

Page 13: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 13

strongSwan Training for Cisco – Session 1

IKE Message Tasks

Page 14: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 14

IKEv2 Tasks I

enum task_type_t { /** establish an unauthenticated IKE_SA */ TASK_IKE_INIT, /** detect NAT situation */ TASK_IKE_NATD, /** handle MOBIKE stuff */ TASK_IKE_MOBIKE, /** authenticate the initiated IKE_SA */ TASK_IKE_AUTH, /** AUTH_LIFETIME negotiation, RFC4478 */ TASK_IKE_AUTH_LIFETIME, /** certificate processing before authentication */ TASK_IKE_CERT_PRE, /** certificate processing after authentication */ TASK_IKE_CERT_POST, /** Configuration payloads, virtual IP and such */ TASK_IKE_CONFIG, /** rekey an IKE_SA */ TASK_IKE_REKEY, ...

Source: libcharon/sa/task.h

Page 15: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 15

IKEv2 Tasks II

... /** reestablish a complete IKE_SA, break-before-make */ TASK_IKE_REAUTH, /** completion task for make-before-break IKE_SA re-auth */ TASK_IKE_REAUTH_COMPLETE, /** delete an IKE_SA */ TASK_IKE_DELETE, /** liveness check */ TASK_IKE_DPD, /** Vendor ID processing */ TASK_IKE_VENDOR, /** handle ME stuff */ TASK_IKE_ME, /** establish a CHILD_SA within an IKE_SA */ TASK_CHILD_CREATE, /** delete an established CHILD_SA */ TASK_CHILD_DELETE, /** rekey a CHILD_SA */ TASK_CHILD_REKEY, ...

Page 16: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 16

IKEv1 Tasks I

... /** IKEv1 main mode */ TASK_MAIN_MODE, /** IKEv1 aggressive mode */ TASK_AGGRESSIVE_MODE, /** IKEv1 informational exchange */ TASK_INFORMATIONAL, /** IKEv1 delete using an informational */ TASK_ISAKMP_DELETE, /** IKEv1 XAUTH authentication */ TASK_XAUTH, /** IKEv1 Mode Config */ TASK_MODE_CONFIG, /** IKEv1 quick mode */ TASK_QUICK_MODE, /** IKEv1 delete of a quick mode SA */ TASK_QUICK_DELETE, /** IKEv1 vendor ID payload handling */ TASK_ISAKMP_VENDOR, ...

Page 17: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 17

IKEv1 Tasks II

... /** IKEv1 NAT detection */ TASK_ISAKMP_NATD, /** IKEv1 DPD */ TASK_ISAKMP_DPD, /** IKEv1 pre-authentication certificate handling */ TASK_ISAKMP_CERT_PRE, /** IKEv1 post-authentication certificate handling */ TASK_ISAKMP_CERT_POST,};

Page 18: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 18

Task Object

struct task_t {

/** Build a request or response message for this task */ status_t (*build) (task_t *this, message_t *message);

/** Process a request or response message for this task */ status_t (*process) (task_t *this, message_t *message);

/** Get the type of the task implementation */ task_type_t (*get_type) (task_t *this);

/** Migrate a task to a new IKE_SA */ void (*migrate) (task_t *this, ike_sa_t *ike_sa);

/** Destroys a task_t object */ void (*destroy) (task_t *this);

};

Source: libcharon/sa/task.h

Page 19: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 19

IKEv2 Task Example for TASK_IKE_NATD I

ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator){ private_ike_natd_t *this;

INIT(this, .public = { .task = { .get_type = _get_type, .migrate = _migrate, .destroy = _destroy, }, .has_mapping_changed = _has_mapping_changed, }, .ike_sa = ike_sa, .initiator = initiator, .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1), ); ...

Source: libcharon/sa/ikev2/tasks/ike_natd.c

Page 20: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 20

IKEv2 Task Example for TASK_IKE_NATD II

...

if (initiator) { this->public.task.build = _build_i; this->public.task.process = _process_i; } else { this->public.task.build = _build_r; this->public.task.process = _process_r; } return &this->public;}

Source: libcharon/sa/ikev2/tasks/ike_natd.c

Page 21: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 21

strongSwan Training for Cisco – Session 1

IKE SA Retrieval

Page 22: Andreas Steffen, 23.04.2015 Cisco-1.pptx 1 strongSwan Training for Cisco Session 1 Processes & Tasks Prof. Dr. Andreas Steffen andreas.steffen@strongswan.org

Andreas Steffen, 23.04.2015 Cisco-1.pptx 22

Efficient IKE_SA Lookup using Hashtables

0

1

2

3

Key / IKE_SA

4

5

6

7

Key / IKE_SA

Key / IKE_SA

Key / IKE_SA

Key / IKE_SA

Key / IKE_SA

Key / IKE_SA

Key / IKE_SA

0

1

Segments Hashtable Buckets

# strongswan.conf

charon { ikesa_table_size = 16 ikesa_table_segments = 2}