From owner-freebsd-hackers@FreeBSD.ORG  Sat Apr 24 09:03:49 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5B52716A4CF
	for <freebsd-hackers@freebsd.org>;
	Sat, 24 Apr 2004 09:03:49 -0700 (PDT)
Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79C9E43D48
	for <freebsd-hackers@freebsd.org>;
	Sat, 24 Apr 2004 09:03:48 -0700 (PDT)
	(envelope-from Helge.Oldach@atosorigin.com)
Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net
	[194.8.96.68])i3OG3ktJ082627
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 24 Apr 2004 18:03:47 +0200 (CEST)
	(envelope-from Helge.Oldach@atosorigin.com)
Received: from dehhx004.hbg.de.int.atosorigin.com
	(dehhx004.hbg.de.int.atosorigin.com [161.90.164.40])
	ESMTP id i3OG3kIJ082536;	Sat, 24 Apr 2004 18:03:46 +0200 (CEST)
	(envelope-from Helge.Oldach@atosorigin.com)
Received: by dehhx004.hbg.de.int.atosorigin.com with Internet Mail Service
	(5.5.2657.72)	id <JC6PG8CV>; Sat, 24 Apr 2004 18:03:46 +0200
Message-ID: <D2CFC58E0F8CB443B54BE72201E8916E94CBB2@dehhx005.hbg.de.int.atosorigin.com>
From: "Oldach, Helge" <Helge.Oldach@atosorigin.com>
To: freebsd-hackers@freebsd.org
Date: Sat, 24 Apr 2004 18:03:39 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain;
	charset="windows-1252"
cc: 'Mike Tancsa' <mike@sentex.net>
Subject: RE: FAST_IPSEC bug fix
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2004 16:03:49 -0000

Hi list,

this is a month-old mail about the lack of a FAST_IPSEC feature compared
to legacy IPSEC. Including a working patch. I haven't seen this being
committed, or is it? Please also MFC to STABLE.

Regards,
Helge


> -----Original Message-----
> From: owner-freebsd-hackers@freebsd.org
> [mailto:owner-freebsd-hackers@freebsd.org]On Behalf Of Mike Tancsa
> Sent: Tuesday, 30. March 2004 19:14
> To: freebsd-hackers@freebsd.org
> Subject: FAST_IPSEC bug fix
> 
> 
> 
> Well, its not totally a bug, but missing functionality that 
> looks like is 
> there but is not and is pretty important to keep lossy links 
> functioning 
> with IPSEC.  My colleague gabor@sentex.net created the patch 
> below that 
> implements net.key.prefered_oldsa when using FAST_IPSEC.  The 
> discussion 
> has come up before about this, but no action.  I know 
> sam@freebsd.org is 
> really busy and cannot help. Is there anyone out there who 
> could review and 
> commit the patch below ? It works against RELENG_4
> 
> I have bcc'd the last 2 committers to touch the code in the 
> hopes that they 
> might have the time and inclination to review / commit ?
> 
> 
> *** /usr/src/sys/netipsec/key.c Mon Mar 29 20:11:44 2004
> --- ./key.c     Tue Mar 30 12:00:31 2004
> ***************
> *** 133,138 ****
> --- 133,139 ----
>    #endif
>    static LIST_HEAD(_spacqtree, secspacq) spacqtree;     /* 
> SP acquiring 
> list */
> 
> + #if 0
>    /* search order for SAs */
>    static u_int saorder_state_valid[] = {
>          SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> ***************
> *** 141,146 ****
> --- 142,154 ----
>           * for outbound processing.  For inbound, This is 
> not important.
>           */
>    };
> + #endif
> + static const u_int saorder_state_valid_prefer_old[] = {
> +     SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
> + };
> + static const u_int saorder_state_valid_prefer_new[] = {
> +     SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
> + };
>    static u_int saorder_state_alive[] = {
>          /* except DEAD */
>          SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
> ***************
> *** 816,821 ****
> --- 824,831 ----
>          struct secashead *sah;
>          struct secasvar *sav;
>          u_int stateidx, state;
> +         const u_int *saorder_state_valid;
> +         int arraysize;
> 
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  if (sah->state == SADB_SASTATE_DEAD)
> ***************
> *** 828,836 ****
> 
>        found:
> 
>          /* search valid state */
>          for (stateidx = 0;
> !            stateidx < _ARRAYLEN(saorder_state_valid);
>               stateidx++) {
> 
>                  state = saorder_state_valid[stateidx];
> --- 838,853 ----
> 
>        found:
> 
> +         if (key_prefered_oldsa) {
> +             saorder_state_valid = saorder_state_valid_prefer_old;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> +         } else {
> +             saorder_state_valid = saorder_state_valid_prefer_new;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> +         }
>          /* search valid state */
>          for (stateidx = 0;
> !            stateidx < arraysize;
>               stateidx++) {
> 
>                  state = saorder_state_valid[stateidx];
> ***************
> *** 997,1008 ****
> --- 1014,1034 ----
>          struct secasvar *sav;
>          u_int stateidx, state;
>          int s;
> +         const u_int *saorder_state_valid;
> +         int arraysize;
> 
>          KASSERT(dst != NULL, ("key_allocsa: null dst address"));
> 
>          KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
>                  printf("DP key_allocsa from %s:%u\n", where, tag));
> 
> +         if (key_prefered_oldsa) {
> +             saorder_state_valid = saorder_state_valid_prefer_old;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
> +         } else {
> +             saorder_state_valid = saorder_state_valid_prefer_new;
> +             arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
> +         }
>          /*
>           * searching SAD.
>           * XXX: to be checked internal IP header somewhere.  
> Also when
> ***************
> *** 1013,1019 ****
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  /* search valid state */
>                  for (stateidx = 0;
> !                    stateidx < _ARRAYLEN(saorder_state_valid);
>                       stateidx++) {
>                          state = saorder_state_valid[stateidx];
>                          LIST_FOREACH(sav, 
> &sah->savtree[state], chain) {
> --- 1039,1045 ----
>          LIST_FOREACH(sah, &sahtree, chain) {
>                  /* search valid state */
>                  for (stateidx = 0;
> !                    stateidx < arraysize;
>                       stateidx++) {
>                          state = saorder_state_valid[stateidx];
>                          LIST_FOREACH(sav, 
> &sah->savtree[state], chain) {
> --------------------------------------------------------------------
> Mike Tancsa,                          	          tel 
> +1 519 651 3400
> Sentex Communications,     			  mike@sentex.net
> Providing Internet since 1994                    www.sentex.net
> Cambridge, Ontario Canada			  www.sentex.net/mike
> 
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to 
> "freebsd-hackers-unsubscribe@freebsd.org"
>