Date: Fri, 29 Jun 2007 09:00:34 +0800 From: blue <susan.lan@zyxel.com.tw> To: freebsd-net@freebsd.org Subject: Some implementation problems about IPsec Message-ID: <468459B2.3060601@zyxel.com.tw>
next in thread | raw e-mail | index | archive | help
Dear all:
I am tracing the codes for the implementation for IPsec recently. I have
two problems here about the implementation:
1. In ip6_input.c, before handing the packet to the next protocol
handler after processing of IPv6 headers,
#ifdef IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
ipsec6stat.in_polvio++;
goto bad;
}
#endif
Why needs to do ipsec6_in_reject() here for some specific "LASTHDER"
protocols, such as icmp? Why not all the packets need the check?
2. What is the real meaning for the flags M_AUTHIPHDR, M_AUTHIPDGM, and
M_DECRYPTED? At the beginning, I thought the mbuf carrying either one of
the flags would represent it had processed by IPsec stack. However, in
KAME implementation, ah_input and ah6_input will unset the flag after an
AH tunneled packet has been passed the authentication. While ESP is the
case, once M_DECRYPTED flag is set, it would never be unset. On the
other hand, in FAST_IPSEC, which is another different IPsec
implementation on FreeBSD, the flags are never unset, and also another
flag named M_IPSEC is defined as M_AUTHIPHDR | M_AUTHIPDGM |
M_DECRYPTED. I am confused by the inconsistent usage.....
Many Thanks.
Susan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468459B2.3060601>