View
229
Download
2
Category
Preview:
Citation preview
Andreas Steffen, 23.04.2015 Cisco-1.pptx 1
strongSwan Training for Cisco
Session 1
Processes & Tasks
Prof. Dr. Andreas Steffen
andreas.steffen@strongswan.org
Andreas Steffen, 23.04.2015 Cisco-1.pptx 2
Agenda Session 1 Processes & Tasks
• Job Priority Management• Preventing thread starvation
• Event Scheduler• Binary heap architecture
• IKE Message Tasks• Building and processing initiator or responder IKE messages
• IKE_SA Retrieval• Efficient access using hashtables
Andreas Steffen, 23.04.2015 Cisco-1.pptx 3
strongSwan Training for Cisco – Session 1
Job Priority Management
Andreas Steffen, 23.04.2015 Cisco-1.pptx 4
Job Priorities
CRITICALCRITICAL
HIGHHIGH
MEDIUMMEDIUM
LOWLOW
Long-running dispatcher jobs, e.g. socketsLong-running dispatcher jobs, e.g. sockets
INFORMATIONAL exchanges, e.g. for DPDINFORMATIONAL exchanges, e.g. for DPD
Everything not HIGH/LOW, e.g. IKE_SA_INIT processingEverything not HIGH/LOW, e.g. IKE_SA_INIT processing
IKE_AUTH processing. RADIUS/CRL fetching might block IKE_AUTH processing. RADIUS/CRL fetching might block
Source: libstrongswan/processing/jobs/job.h
Andreas Steffen, 23.04.2015 Cisco-1.pptx 5
Jobs with Priority CRITICAL
• Receive/Send IKE Messages, Event Scheduler, Network Events• libcharon/network/receiver.c• libcharon/network/sender.c• libstrongswan/processing/scheduler.c• libstrongswan/processing/watcher.c
• Configuration & Management Socket Interface• libcharon/plugins/stroke/stroke_socket.c• libcharon/plugins/vici/vici_socket.c
• High Availability Plugin• libcharon/plugins/ha/ha_cache.c | ha_ctl.c | ha_dispatcher.c
| ha_segments.c
• EAP Radius Plugin• libcharon/plugins/eap_radius/eap_radius_accounting.c • libcharon/plugins/eap_radius/eap_radius_plugin.c
• PKCS#11 Smartcard Plugin• libstrongswan/plugins/pkcs11/pkcs11_manager.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 6
Jobs with Priority HIGH
• IKE Job Processing• libcharon/processing/jobs/adopt_children_job.c• libcharon/processing/jobs/dpd_timeout_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/retransmit_job.c• libcharon/processing/jobs/retry_initiate_job.c• libcharon/processing/jobs/send_dpd_job.c• libcharon/processing/jobs/send_keepalive_job.c
• High Availability Plugin• libcharon/plugins/ha/ha_socket.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 7
Jobs with Priority MEDIUM
• IKE Job Processing• libcharon/processing/jobs/acquire_job.c• libcharon/processing/jobs/delete_child_sa_job.c• libcharon/processing/jobs/delete_ike_sa_job.c• libcharon/processing/jobs/inactivity_job.c• libcharon/processing/jobs/initiate_mediation_job.c• libcharon/processing/jobs/initiate_tasks_job.c• libcharon/processing/jobs/mediation_job.c• libcharon/processing/jobs/migrate_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/rekey_child_sa_job.c• libcharon/processing/jobs/rekey_ike_sa_job.c• libcharon/processing/jobs/roam_job.c• libcharon/processing/jobs/start_action_job.c• libcharon/processing/jobs/update_sa_job.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 8
Jobs with Priority LOW
• IKE Job Processing• libcharon/processing/jobs/process_message_job.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 9
IKEv2 Message Processing Priorization
METHOD(job_t, get_priority, job_priority_t, private_process_message_job_t *this){ switch (this->message->get_exchange_type(this->message)) { case IKE_AUTH: /* IKE_AUTH is rather expensive and often blocking, * low priority */ return JOB_PRIO_LOW; case INFORMATIONAL: /* INFORMATIONALs are inexpensive, for DPD we should * have low reaction times */ return JOB_PRIO_HIGH; case IKE_SA_INIT: case CREATE_CHILD_SA: default: /* IKE_SA_INIT is expensive, but we will drop them in the * receiver if we are overloaded */ return JOB_PRIO_MEDIUM; }} Source: libcharon/processing/jobs/process_message_job.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 10
Thread and Job Priority Configuration
# strongswan.conf
charon { threads = 32}
libstrongswan { processor { priority_threads { high = 1 medium = 4 } }}
ipsec statusall
worker threads: 2 of 32 idle, 5/1/2/22 working, job queue: 0/0/1/149, scheduled: 198
Andreas Steffen, 23.04.2015 Cisco-1.pptx 11
strongSwan Training for Cisco – Session 1
Event Scheduler
Andreas Steffen, 23.04.2015 Cisco-1.pptx 12
Event Scheduler
• Binary Heap• Binary tree organized as a min-heap with the event time as
key.• Heap starts with an array of 64 entries and array size
doubles each time the heap runs out of entries• Implemented by src/libstrongswan/processing/scheduler.c
1
3 2
7361917
8025
1
54 6
2 3
7
8 9 10 11 12 13 14 15
Andreas Steffen, 23.04.2015 Cisco-1.pptx 13
strongSwan Training for Cisco – Session 1
IKE Message Tasks
Andreas Steffen, 23.04.2015 Cisco-1.pptx 14
IKEv2 Tasks I
enum task_type_t { /** establish an unauthenticated IKE_SA */ TASK_IKE_INIT, /** detect NAT situation */ TASK_IKE_NATD, /** handle MOBIKE stuff */ TASK_IKE_MOBIKE, /** authenticate the initiated IKE_SA */ TASK_IKE_AUTH, /** AUTH_LIFETIME negotiation, RFC4478 */ TASK_IKE_AUTH_LIFETIME, /** certificate processing before authentication */ TASK_IKE_CERT_PRE, /** certificate processing after authentication */ TASK_IKE_CERT_POST, /** Configuration payloads, virtual IP and such */ TASK_IKE_CONFIG, /** rekey an IKE_SA */ TASK_IKE_REKEY, ...
Source: libcharon/sa/task.h
Andreas Steffen, 23.04.2015 Cisco-1.pptx 15
IKEv2 Tasks II
... /** reestablish a complete IKE_SA, break-before-make */ TASK_IKE_REAUTH, /** completion task for make-before-break IKE_SA re-auth */ TASK_IKE_REAUTH_COMPLETE, /** delete an IKE_SA */ TASK_IKE_DELETE, /** liveness check */ TASK_IKE_DPD, /** Vendor ID processing */ TASK_IKE_VENDOR, /** handle ME stuff */ TASK_IKE_ME, /** establish a CHILD_SA within an IKE_SA */ TASK_CHILD_CREATE, /** delete an established CHILD_SA */ TASK_CHILD_DELETE, /** rekey a CHILD_SA */ TASK_CHILD_REKEY, ...
Andreas Steffen, 23.04.2015 Cisco-1.pptx 16
IKEv1 Tasks I
... /** IKEv1 main mode */ TASK_MAIN_MODE, /** IKEv1 aggressive mode */ TASK_AGGRESSIVE_MODE, /** IKEv1 informational exchange */ TASK_INFORMATIONAL, /** IKEv1 delete using an informational */ TASK_ISAKMP_DELETE, /** IKEv1 XAUTH authentication */ TASK_XAUTH, /** IKEv1 Mode Config */ TASK_MODE_CONFIG, /** IKEv1 quick mode */ TASK_QUICK_MODE, /** IKEv1 delete of a quick mode SA */ TASK_QUICK_DELETE, /** IKEv1 vendor ID payload handling */ TASK_ISAKMP_VENDOR, ...
Andreas Steffen, 23.04.2015 Cisco-1.pptx 17
IKEv1 Tasks II
... /** IKEv1 NAT detection */ TASK_ISAKMP_NATD, /** IKEv1 DPD */ TASK_ISAKMP_DPD, /** IKEv1 pre-authentication certificate handling */ TASK_ISAKMP_CERT_PRE, /** IKEv1 post-authentication certificate handling */ TASK_ISAKMP_CERT_POST,};
Andreas Steffen, 23.04.2015 Cisco-1.pptx 18
Task Object
struct task_t {
/** Build a request or response message for this task */ status_t (*build) (task_t *this, message_t *message);
/** Process a request or response message for this task */ status_t (*process) (task_t *this, message_t *message);
/** Get the type of the task implementation */ task_type_t (*get_type) (task_t *this);
/** Migrate a task to a new IKE_SA */ void (*migrate) (task_t *this, ike_sa_t *ike_sa);
/** Destroys a task_t object */ void (*destroy) (task_t *this);
};
Source: libcharon/sa/task.h
Andreas Steffen, 23.04.2015 Cisco-1.pptx 19
IKEv2 Task Example for TASK_IKE_NATD I
ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator){ private_ike_natd_t *this;
INIT(this, .public = { .task = { .get_type = _get_type, .migrate = _migrate, .destroy = _destroy, }, .has_mapping_changed = _has_mapping_changed, }, .ike_sa = ike_sa, .initiator = initiator, .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1), ); ...
Source: libcharon/sa/ikev2/tasks/ike_natd.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 20
IKEv2 Task Example for TASK_IKE_NATD II
...
if (initiator) { this->public.task.build = _build_i; this->public.task.process = _process_i; } else { this->public.task.build = _build_r; this->public.task.process = _process_r; } return &this->public;}
Source: libcharon/sa/ikev2/tasks/ike_natd.c
Andreas Steffen, 23.04.2015 Cisco-1.pptx 21
strongSwan Training for Cisco – Session 1
IKE SA Retrieval
Andreas Steffen, 23.04.2015 Cisco-1.pptx 22
Efficient IKE_SA Lookup using Hashtables
0
1
2
3
Key / IKE_SA
4
5
6
7
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
0
1
Segments Hashtable Buckets
# strongswan.conf
charon { ikesa_table_size = 16 ikesa_table_segments = 2}
Recommended