4.3.1 Key Management Issues
It is expected that many systems choosing to
implement ISAKMP will
strive to provide a
protected domain of execution for a combined IKE
key management daemon. On protected-mode multiuser
operating
systems, this key management daemon
will likely exist as a separate
privileged
process.
In such an environment, a formalized API
to introduce keying material
into the TCP/IP kernel may be desirable. The IP
Security
architecture does not place any
requirements for structure or flow
between a
host TCP/IP kernel and its key management provider.
above this, key management program should be a separate process and a form of daemon and IPSEC program should include kernel program.
key management program consists of client and server. And when needed, ipsec program must be able to call key management client in order to negotiate key and so on.
So in order that kernel program calls user program, it seems to be needed a formalized API.
but I don't know how a part of kernel can call user program and how to design a formalized API.
I need your advices about reference books and your idea..
Help me!!
Thank you!!