Date: Tue, 7 Mar 2006 19:02:22 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: FAST_IPSEC and tunnelled packets processing Message-ID: <20060307180222.GA1308@zen.inc>
next in thread | raw e-mail | index | archive | help
Hi all. I'm playing with FAST_IPSEC, and noticed what looks strange for me: I have an ESP/Tunnel configuration, and when I wanted to track packet processing in the kernel, I noticed it goes 3 time in ip_input(): - ESP packet passes through ip_input(), and is sent to ipsec code. - esp_input_cb() removes the ESP header and trailer, and sends it back to ipsec_common_input_cb(). - ipsec_common_input_cb() sends it back to ip_input(), without ESP header, but still with an IPIP header (IP addresses are tunnel endpoints). - ip_input() will send it to "I don't know exactly where" (but I guess it will go to ip_forward()), where the IPIP header will be removed and.... yes, packet will be sent again to ip_input(), where it will really be the inner packet..... Is this a bug, a "missing feature", or something done this way for "some good reason I don't see" ? KAME's IPSEC stack removes both ESP header and IPIP header at the same time (in esp4_input()/ipsec4_tunnel_validate()), the packet is only seen twice by ip_input(). Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060307180222.GA1308>