OpenBSD IPsec

  IPsec in the OpenBSD kernel is implemented as just another pair of IP transport protocols (AH and ESP). Thus, incoming IPsec packets destined to the local host are submitted to the appropriate IPsec protocol for processing based on the protocol number in the IP header. The SA needed to process the packet is located in an in-kernel database using information retrieved from the packet itself. Once the packet has been correctly processed (decrypted, authenticity verified, etc.), it is re-queued for further processing by the IP module, accompanied by additional information (such as the fact that it was received securely) for use by higher protocols and the socket layer.

Outgoing packets require somewhat different processing. When a packet is handed to the IP module for transmission, a lookup is made in a modified version of the routing table (called Security Policy Database, or SPD, in the IPsec standards) to determine whether that packet needs to be processed by IPsec. If this is the case, the result of the lookup also specifies what SA(s) to use for IPsec-processing the packet. Once processed, the packet is then re-queued for transmission by IP. If no SA is currently established with the destination host, the packet is dropped and a message is sent to the key management daemon through the PF_KEY interface [16]. It is then the key management's task to negotiate the necessary SAs.

To manage the SA and SPD tables, we use the PF_KEY interface, which is similar in concept to the routing socket interface available in BSD. Both manual keying utilities and key management daemons (such as IKE or Photuris [13]) use this interface to communicate with the kernel.

A somewhat dated overview of the OpenBSD IPsec architecture is given in [15].