From owner-freebsd-net  Mon Oct  7  9:32:18 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4833037B401; Mon,  7 Oct 2002 09:32:17 -0700 (PDT)
Received: from ebb.errno.com (ebb.errno.com [66.127.85.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C863343E42; Mon,  7 Oct 2002 09:32:16 -0700 (PDT)
	(envelope-from sam@errno.com)
Received: from melange (melange.errno.com [66.127.85.82])
	(authenticated bits=0)
	by ebb.errno.com (8.12.5/8.12.1) with ESMTP id g97GWF1H003280
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
	Mon, 7 Oct 2002 09:32:16 -0700 (PDT)?g
	(envelope-from sam@errno.com)œ
X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange
Message-ID: <150d01c26e1f$192baf10$52557f42@errno.com>
From: "Sam Leffler" <sam@errno.com>
To: "Terry Lambert" <tlambert2@mindspring.com>
Cc: "Nate Lawson" <nate@root.org>, <freebsd-arch@FreeBSD.ORG>,
	<freebsd-net@FreeBSD.ORG>
References: <Pine.BSF.4.21.0210062200110.5730-100000@root.org> <142f01c26dc1$6c4fa5b0$52557f42@errno.com> <3DA12517.6D1B4EC2@mindspring.com>
Subject: Re: CFR: m_tag patch
Date: Mon, 7 Oct 2002 09:32:15 -0700
Organization: Errno Consulting
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> Actually, the integration into IPv4 strikes me as little more than
> an afterthought: the KAME code handles it in IPv6 without the extra
> overhead for the non-IPSEC sockets, and the IPv4 support is more of
> a bolt-on than something designed in.  I'd almost want to see the
> IPSEC stuff treated as a separate encapsulation layer, on its own.
>

IPsec integration is done the same for IPv4 and IPv6.  Specifically, the
socket parameter is passed through the aux mbuf rather than as a function
param.  I've changed both ip_output and ip6_output to pass the socket as an
additional parameter to eliminate this practice.

> Adding a aparameter for it specifically adds more cruft on the cruft
> that's already there, and makes the IPSEC *not* an encapsulation, in
> any way.  8-(.
>

Adding an extra param to ip*_output is a pragmatic approach chosen to
minimize impact to the code and reduce overhead.  FWIW this approach is also
found in openbsd, irix and bsd/os.

> Is there another way to do this?  A general extension mechanism for
> attributin mbufs seems to be a good idea.  People have wanted this
> before, for credentials (e.g. Robert suggested something like this
> before).
>

m_tag's are a general extension mechanism for attributing mbuf chains (i.e.
packets).  If deemed worthwhile they could be promoted from the pkthdr to
the base mbuf.  For now I've tried to make the change that has least impact
as we're (supposedly) close a freeze for DP2.  Also, the change I've made
permits MFC'ing to -stable w/ binary compatibility since the SLIST of
m_tag's requires only a single pointer so this can replace the point to the
aux mbuf list.

    Sam


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message