Configuring IKE is an involved process, due to IKE being a complex protocol. When we were faced with the problem of how to design the configuration language we tried a few simplistic approaches, but they soon turned out to be too inflexible. Thus we decided to use a rather generic configuration syntax which we could fit in everything we wanted. The syntax would also allow for easy dynamic modification of the internal configuration information without reloading a full file. The caveat is that our configuration syntax maps much better to the machine and protocols than to a human being administering isakmpd. Our plan was to get someone else write a ``real'' configuration file format that could be translated into our style. So far no one has taken the bait. Note that ideally, very little configuration should be needed for isakmpd; most of the information should be provided on-the-fly by the kernel (at least in the end-to-end case), or through some security policy discovery mechanism.
The file format is commonly known as .INI-format, and a snippet is shown in figure 3. Internally, everything is treated as (section, tag, value) triplets, where the values can optionally be lists of scalar values. The values themselves are often section names thereby giving a tree (or rather a forest) structure to the data.
As we have already mentioned, the internal configuration is dynamically alterable. We saw a need for several ``users'' altering the configuration concurrently, so we made the API transactional. Each transaction can contain several modifications to the configuration, and they are atomically introduced.
Internally there is also an API to get the actual configuration values. Because of this, it is considered very easy to move the configuration database into other internal formats or even externalize it.
