Some implementation problems about IPsec
- From: blue <susan.lan@xxxxxxxxxxxx>
- Date: Fri, 29 Jun 2007 09:00:34 +0800
Dear all:
I am tracing the codes for the implementation for IPsec recently. I have two problems here about the implementation:
1. In ip6_input.c, before handing the packet to the next protocol handler after processing of IPv6 headers,
#ifdef IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
ipsec6stat.in_polvio++;
goto bad;
}
#endif
Why needs to do ipsec6_in_reject() here for some specific "LASTHDER" protocols, such as icmp? Why not all the packets need the check?
2. What is the real meaning for the flags M_AUTHIPHDR, M_AUTHIPDGM, and M_DECRYPTED? At the beginning, I thought the mbuf carrying either one of the flags would represent it had processed by IPsec stack. However, in KAME implementation, ah_input and ah6_input will unset the flag after an AH tunneled packet has been passed the authentication. While ESP is the case, once M_DECRYPTED flag is set, it would never be unset. On the other hand, in FAST_IPSEC, which is another different IPsec implementation on FreeBSD, the flags are never unset, and also another flag named M_IPSEC is defined as M_AUTHIPHDR | M_AUTHIPDGM | M_DECRYPTED. I am confused by the inconsistent usage.....
Many Thanks.
Susan
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Prev by Date: RE: Problems with BCE network adapter (Dell PE2950)
- Next by Date: RE: Problems with BCE network adapter (Dell PE2950)
- Previous by thread: Re: kern/112710: [re] if_re driver detects incorrect b243a405a405 MAC address on SMC9452TX-1 pci gigabit cards
- Next by thread: skype dummynet high priority
- Index(es):
Relevant Pages
|
|
