From owner-freebsd-net@FreeBSD.ORG Mon Jul 21 09:30:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 935501065674 for ; Mon, 21 Jul 2008 09:30:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 3B7CE8FC1C for ; Mon, 21 Jul 2008 09:30:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C09CC41C752; Mon, 21 Jul 2008 11:30:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id Uo44VxQI04Yl; Mon, 21 Jul 2008 11:30:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 3B9AA41C6A1; Mon, 21 Jul 2008 11:30:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 7510544487F; Mon, 21 Jul 2008 09:26:15 +0000 (UTC) Date: Mon, 21 Jul 2008 09:26:15 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Sam Leffler In-Reply-To: <487EC62A.3070301@freebsd.org> Message-ID: <20080721085325.B57089@maildrop.int.zabbadoz.net> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> <487EC62A.3070301@freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, vanhu_bsd@zeninc.net, Larry Baird Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2008 09:30:07 -0000 On Wed, 16 Jul 2008, Sam Leffler wrote: Hi, > Please test/review the following patch against HEAD: > > http://people.freebsd.org/~sam/nat_t-20080616.patch > > This adds only the kernel portion of the NAT-T support; you must provide the > user-level code from another place. > > The main difference from the patches floating around are in the ctloutput > path (adding proper locking for HEAD) and decap of ESP-in-UDP frames. > Assuming folks are ok w/ these changes I'll commit to HEAD. Once this stuff > goes in we can look at getting the user-mode mods into the tree. I have skipped through the patch. My main concern at the moment is the API (pfkey stuff) to userland as Yvan had stated in <20080626075307.GA1401@zen.inc>. I know that at the moment there seems to be one public (pseudo) reference implementation this all works together but there might be/are other people not using libipsec from ipsec-tools. The point is changing the API once this hits the tree will be hard to detect at a later point if at all (unless with a __FreeBSD_version or (another) library version bump/sym versioning). We are still missing other things I think not mentioned elswhere like partial checksum recalculation. I still wonder if we'd have all the information (at the right place) in the kernel so we could easily add support for that at a later time w/o having to change APIs again. Considering that it seems noone using this patch in products has implemented this .. I dunno. It's something that is already mentioned in the introduction of RFC 3947 and in 3.1.2. of 3948 and thus should be very obvious to anyone ever seriously thought of finishing a proper more than "it works for me" version of the patch. Some minor things I had seen not reported so far: I have seen two printfs that should be changed to proper logging, ... /NAT-T OA present s,bave,have, in "...in the SPD: This means we bave a non-generated" but maybe change the entire comment. "non-generated SPD" is kind of wrong wording. I'd happily go through another patch once the missing/to be corrected things were addressed. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.