Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <> Wed, 07 June 2017 22:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E5AA112EB2B for <>; Wed, 7 Jun 2017 15:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mu_jr-JJj0QX for <>; Wed, 7 Jun 2017 15:13:02 -0700 (PDT)
Received: from ( [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CB5E1270A7 for <>; Wed, 7 Jun 2017 15:13:02 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (8.14.7/8.14.7) with ESMTP id v57LwB8K072713; Wed, 7 Jun 2017 23:58:11 +0200 (CEST) (envelope-from
Message-Id: <>
From: Francis Dupont <>
To: Ted Lemon <>
cc: =?utf-8?B?56We5piO6YGU5ZOJ?= <>, dhcwg <>
In-reply-to: Your message of Wed, 07 Jun 2017 17:19:15 -0400. <>
Date: Wed, 07 Jun 2017 23:58:11 +0200
Archived-At: <>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jun 2017 22:13:04 -0000

 In your previous mail you wrote:

>  The point of this joke is that actually I don't have any problem with =
>  encryption being done in the kernel, but I don't see how to make it work =
>  for this use case, because we don't have end-to-end communication with =
>  the server.

=> the theory of IPsec operations is very simple: you have two databases:
 - the Security Association DataBase
 - the Security Policy Database.
When you have a packet you see in the SPD what to do. If the policy is
to do some IPsec processing on the packet you look for the parameters
in the SADB and if there is no SA when there should be one then you ask
IKE to create one (in fact a pair).
So the configuration consists into populating the SPD (e.g. by setkey)
and to say to IKE what to do (define peers, credentials, a zillion of