Date: Fri, 29 Jun 2007 09:00:34 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: Some implementation problems about IPsec Message-ID: <468459B2.3060601@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Dear all: I am tracing the codes for the implementation for IPsec recently. I have two problems here about the implementation: 1. In ip6_input.c, before handing the packet to the next protocol handler after processing of IPv6 headers, #ifdef IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { ipsec6stat.in_polvio++; goto bad; } #endif Why needs to do ipsec6_in_reject() here for some specific "LASTHDER" protocols, such as icmp? Why not all the packets need the check? 2. What is the real meaning for the flags M_AUTHIPHDR, M_AUTHIPDGM, and M_DECRYPTED? At the beginning, I thought the mbuf carrying either one of the flags would represent it had processed by IPsec stack. However, in KAME implementation, ah_input and ah6_input will unset the flag after an AH tunneled packet has been passed the authentication. While ESP is the case, once M_DECRYPTED flag is set, it would never be unset. On the other hand, in FAST_IPSEC, which is another different IPsec implementation on FreeBSD, the flags are never unset, and also another flag named M_IPSEC is defined as M_AUTHIPHDR | M_AUTHIPDGM | M_DECRYPTED. I am confused by the inconsistent usage..... Many Thanks. Susan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468459B2.3060601>