Embed Size (px)
Citation preview
Andreas Steffen, 29.06.2015, Siemens-5.pptx 1
strongSwan Workshop for Siemens
Block 5Building & Testing
strongSwan
Prof. Dr. Andreas Steffen
Andreas Steffen, 29.06.2015, Siemens-5.pptx 2
strongSwan Workshop for Siemens
Configuring and Building strongSwan
Andreas Steffen, 29.06.2015, Siemens-5.pptx 3
strongSwan Workshop for Siemens
Configuration ofLogging and Debug Levels
Andreas Steffen, 29.06.2015, Siemens-5.pptx 4
asnasn ASN.1 encoding/decodingASN.1 encoding/decoding
Debug Message Groups
dmndmn
mgrmgr
ikeike
chdchd
jobjob
cfgcfg
knlknl
netnet
encenc
liblib
tlstls
anyany
IKEv2 daemon specificIKEv2 daemon specific
IKE_SA managerIKE_SA manager
IKE_SAIKE_SA
CHILD_SACHILD_SA
Job ProcessingJob Processing
Configuration backendsConfiguration backends
Kernel interfacesKernel interfaces
Networking/socketsNetworking/sockets
Message encoding/decodingMessage encoding/decoding
libstrongswanlibstrongswan
libtls (TLS stack)libtls (TLS stack)
All message groupsAll message groups
espesp libipseclibipsec
tnctnc
imcimc
imvimv
Trusted Network ConnectTrusted Network Connect
Integrity Measurement CollectorIntegrity Measurement Collector
Integrity Measurement VerifierIntegrity Measurement Verifier
ptspts Platform Trust ServicesPlatform Trust Services
appapp ApplicationsApplications
Andreas Steffen, 29.06.2015, Siemens-5.pptx 5
Debug Message Levels
-1-1
00
11
22
33
44
Absolutely silentAbsolutely silent
Very basic auditing logs (e.g. SA up/down)Very basic auditing logs (e.g. SA up/down)
General control flow showing what‘s going on, all errorsGeneral control flow showing what‘s going on, all errors
Detailed control flow, good for intensive debuggingDetailed control flow, good for intensive debugging
Raw data dumps in HEX format, used with interoperability problemsRaw data dumps in HEX format, used with interoperability problems
Include sensitive cryptographic keying material (secrets)Include sensitive cryptographic keying material (secrets)
Andreas Steffen, 29.06.2015, Siemens-5.pptx 6
Default Configuration
# ipsec.conf - strongSwan IPsec configuration file
config setup charondebug="cfg 2, ike 2, knl 3"
ipsec stroke loglevel cfg 2ipsec stroke loglevel ike 2ipsec stroke loglevel knl 3
ipsec stroke loglevel any 1
• Statically in ipsec.conf
• Dynamically using ipsec stroke
Andreas Steffen, 29.06.2015, Siemens-5.pptx 7
Configuration in strongswan.conf I
charon { # Two defined file loggers. Each subsection is either a file # in the filesystem or one of: stdout, stderr. filelog {
/var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # loggers to files also accept the append option to open files in # append mode at startup (default is yes) append = no # the default loglevel for all daemon subsystems (defaults to 1). default = 1 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 knl = 3 # prepend connection name, simplifies grepping ike_name = yes } } # continued on next slide ...}
Andreas Steffen, 29.06.2015, Siemens-5.pptx 8
Configuration in strongswan.conf II
charon { # continuation from previous slide # ... # And two loggers using syslog. The subsections define the facility to log # to, currently one of: daemon, auth. syslog { # default level to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } }}
Andreas Steffen, 29.06.2015, Siemens-5.pptx 9
strongSwan Workshop for Siemens
Startup Self Tests
Andreas Steffen, 29.06.2015, Siemens-5.pptx 10
Crypto Test Vectors
libstrongswan { crypto_test { # run the tests once when loading the crypto plugins on_add = yes # run the tests each time a crypto primitive is instantiated on_create = yes # at least one test vector required for acceptance of the crypto primitive required = yes # run the true random generator tests. # Enable only if a sufficiently large amount of entropy is available rng_true = yes # the default for all parameters is "no" }}
• Configuration in strongswan.conf
• Enable test-vectors plugin
./configure ... --enable-test-vectors
Andreas Steffen, 29.06.2015, Siemens-5.pptx 11
Integrity Test
libstrongswan { integrity_test = yes}
• Configuration in strongswan.conf
• Enable integrity test
./configure ... --enable-integrity-test
• The following integrity checks are performed:
• library checksums for both file-on-disk and in-memory integrity
• daemon checksums for file-on-disk integrity
• plugin checksums for both file-on-disk and in-memory integrity
• a 32 bit non-cryptographical quick hash is used for the checksums.SHA-2 could be used if required.
Andreas Steffen, 29.06.2015, Siemens-5.pptx 12
strongSwan Workshop for Siemens
Job Priority Management
Andreas Steffen, 29.06.2015, Siemens-5.pptx 13
Job Priorities
CRITICALCRITICAL
HIGHHIGH
MEDIUMMEDIUM
LOWLOW
Long-running dispatcher jobs, e.g. socketsLong-running dispatcher jobs, e.g. sockets
INFORMATIONAL exchanges, e.g. for DPDINFORMATIONAL exchanges, e.g. for DPD
Everything not HIGH/LOW, e.g. IKE_SA_INIT processingEverything not HIGH/LOW, e.g. IKE_SA_INIT processing
IKE_AUTH processing. RADIUS/CRL fetching might block IKE_AUTH processing. RADIUS/CRL fetching might block
Source: libstrongswan/processing/jobs/job.h
Andreas Steffen, 29.06.2015, Siemens-5.pptx 14
Jobs with Priority CRITICAL
• Receive/Send IKE Messages, Event Scheduler, Network Events• libcharon/network/receiver.c• libcharon/network/sender.c• libstrongswan/processing/scheduler.c• libstrongswan/processing/watcher.c
• Configuration & Management Socket Interface• libcharon/plugins/stroke/stroke_socket.c• libcharon/plugins/vici/vici_socket.c
• High Availability Plugin• libcharon/plugins/ha/ha_cache.c | ha_ctl.c | ha_dispatcher.c
| ha_segments.c
• EAP Radius Plugin• libcharon/plugins/eap_radius/eap_radius_accounting.c • libcharon/plugins/eap_radius/eap_radius_plugin.c
• PKCS#11 Smartcard Plugin• libstrongswan/plugins/pkcs11/pkcs11_manager.c
Andreas Steffen, 29.06.2015, Siemens-5.pptx 15
Jobs with Priority HIGH
• IKE Job Processing• libcharon/processing/jobs/adopt_children_job.c• libcharon/processing/jobs/dpd_timeout_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/retransmit_job.c• libcharon/processing/jobs/retry_initiate_job.c• libcharon/processing/jobs/send_dpd_job.c• libcharon/processing/jobs/send_keepalive_job.c
• High Availability Plugin• libcharon/plugins/ha/ha_socket.c
Andreas Steffen, 29.06.2015, Siemens-5.pptx 16
Jobs with Priority MEDIUM
• IKE Job Processing• libcharon/processing/jobs/acquire_job.c• libcharon/processing/jobs/delete_child_sa_job.c• libcharon/processing/jobs/delete_ike_sa_job.c• libcharon/processing/jobs/inactivity_job.c• libcharon/processing/jobs/initiate_mediation_job.c• libcharon/processing/jobs/initiate_tasks_job.c• libcharon/processing/jobs/mediation_job.c• libcharon/processing/jobs/migrate_job.c• libcharon/processing/jobs/process_message_job.c• libcharon/processing/jobs/rekey_child_sa_job.c• libcharon/processing/jobs/rekey_ike_sa_job.c• libcharon/processing/jobs/roam_job.c• libcharon/processing/jobs/start_action_job.c• libcharon/processing/jobs/update_sa_job.c
Andreas Steffen, 29.06.2015, Siemens-5.pptx 17
Jobs with Priority LOW
• IKE Job Processing• libcharon/processing/jobs/process_message_job.c
Andreas Steffen, 29.06.2015, Siemens-5.pptx 18
Thread and Job Priority Configuration
# strongswan.conf
charon { threads = 32}
libstrongswan { processor { priority_threads { high = 1 medium = 4 } }}
ipsec statusall
worker threads: 2 of 32 idle, 5/1/2/22 working, job queue: 0/0/1/149, scheduled: 198
Andreas Steffen, 29.06.2015, Siemens-5.pptx 19
strongSwan Training for Cisco – Session 1
Efficient IKE SA Retrieval
Andreas Steffen, 29.06.2015, Siemens-5.pptx 20
Efficient IKE_SA Lookup using Hashtables
0
1
2
3
Key / IKE_SA
4
5
6
7
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
Key / IKE_SA
0
1
Segments Hashtable Buckets
# strongswan.conf
charon { ikesa_table_size = 8 ikesa_table_segments = 2}
