The other aspect is the creation of a trust relationship between hosts on the Internet. This is also called the control plane. It involves the creation of a secure communication channel and the exchange of cryptographic keys. It also involves many choices and options and a lot of state information. This part is usually implemented in a process that runs on the OS continuously listening for requests for new IPsec connections. Programs that listen for incoming connections are typically called daemons.
These two layers—the userland daemon and the kernel IPsec stack—talk through a special socket interface, usually the PF_KEY
interface. Most of the RFCs in the IPsec protocol suite are not actually about packet handling, but about these trust relationships. Handling packets is a relatively straightforward process. A packet comes in, matches a ruleset, is transformed into an IPsec packet, and is sent on.
But handling a whole range of different kinds of...