OpenBSD IPsec Implementation

  In the OpenBSD kernel, IPsec is implemented as just another pair of protocols (AH and ESP) sitting on top of IP. Thus, incoming IPsec packets destined to the local host are processed by the appropriate IPsec protocol through the protocol switch structure used for all protocols (e.g., TCP and UDP). The selection of the appropriate protocol is based on the protocol number in the IP header. The SA needed to process the packet is found in an in-kernel database using information retrieved from the packet itself. Once the packet has been correctly processed (decrypted, authenticity verified, etc.), it is re-queued for further processing by the IP module, accompanied by additional information (such as the fact that it was received under a specific SA) for use by higher protocols and the socket layer.

Outgoing packets require somewhat different processing. When a packet is handed to the IP module for transmission (in ip_output), a lookup is made in the Security Policy Database (SPD) to determine whether that packet needs to be processed by IPsec. The SPD in OpenBSD is implemented as an extension to the standard BSD routing table. The decision is made based on the source/destination addresses, transport protocol, and port numbers. If IPsec processing is needed, the lookup will also specify what SA(s) to use for IPsec processing of the packet (even to the extent of specifying encryption/authentication algorithms to use). If no suitable SA is currently established with the destination host, the packet is dropped and a message is sent to the key management daemon through the PF_KEY interface [10]. It is then the key management's task to negotiate the necessary SAs. Otherwise, the packet is processed by IPsec and passed to ip_output again for transmission. The packet also carries an indication as to what IPsec processing has already occured to it, to avoid infinite processing loops.