Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 May 2001 17:42:53 +0000
From:      Gunther Schadow <gunther@aurora.regenstrief.org>
To:        Lars Eggert <larse@ISI.EDU>
Cc:        snap-users@kame.net, freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp
Subject:   Re: The future of ALTQ, IPsec & IPFILTER playing together ...
Message-ID:  <3AEEF59D.3D5622DE@aurora.regenstrief.org>
References:  <3AEEEE79.8F7CC7B0@aurora.regenstrief.org> <3AEEF26B.C6850070@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Lars Eggert wrote: 

> You should really look into using IPIP tunnels together with IPsec
> transport mode. In that case, your packets loop through IP outbound
> processing twice, allowing you to hook into "IP hacks" (ALTQ, ipfw,
> ipfilter, etc.) at both the virtual network layer as well as the
> physical network layer. If (and I'm not sure this is supported, but it's
> easy to add) gif devices are ALTQified, you could apply ALTQ at the
> virtual network level, before IPsec processing kicks in at the physical
> network.

This makes perfect sense to me. Thanks for the reference to this 
internet draft. I will siwtch to a gif-tunnel based approach for 
now just to get my project going. However, I am afraid that ALTQ
is not supported on gif pseudo-devices as it seems that ALTQ wants
to deal with things like DMA etc, i.e., real NIC hardware. You say,
ALTQifying gif should be relatively simple? Should I dare trying
it myself? I won't be getting away without kernel-hacking anyway,
since I can choose between ALTQifying the gif device or adding
TOS-based filtering into IPFW :-(

regards
-Gunther

-- 
Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
Medical Information Scientist      Regenstrief Institute for Health Care
Adjunct Assistent Professor        Indiana University School of Medicine
tel:1(317)630-7960                         http://aurora.regenstrief.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AEEF59D.3D5622DE>