From owner-freebsd-net  Tue May  1 10:43: 9 2001
Delivered-To: freebsd-net@freebsd.org
Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197])
	by hub.freebsd.org (Postfix) with ESMTP id E7B7437B422
	for <freebsd-net@freebsd.org>; Tue,  1 May 2001 10:43:06 -0700 (PDT)
	(envelope-from gunther@aurora.regenstrief.org)
Received: from aurora.regenstrief.org (ngigw0.wishard.edu [134.68.32.99] (may be forged))
	by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f41Hm0X26106;
	Tue, 1 May 2001 12:48:00 -0500
Message-ID: <3AEEF59D.3D5622DE@aurora.regenstrief.org>
Date: Tue, 01 May 2001 17:42:53 +0000
From: Gunther Schadow <gunther@aurora.regenstrief.org>
Organization: Regenstrief Institute for Health Care
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Lars Eggert <larse@ISI.EDU>
Cc: snap-users@kame.net, freebsd-net@freebsd.org,
	ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp
Subject: Re: The future of ALTQ, IPsec & IPFILTER playing together ...
References: <3AEEEE79.8F7CC7B0@aurora.regenstrief.org> <3AEEF26B.C6850070@isi.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Lars Eggert wrote: 

> You should really look into using IPIP tunnels together with IPsec
> transport mode. In that case, your packets loop through IP outbound
> processing twice, allowing you to hook into "IP hacks" (ALTQ, ipfw,
> ipfilter, etc.) at both the virtual network layer as well as the
> physical network layer. If (and I'm not sure this is supported, but it's
> easy to add) gif devices are ALTQified, you could apply ALTQ at the
> virtual network level, before IPsec processing kicks in at the physical
> network.

This makes perfect sense to me. Thanks for the reference to this 
internet draft. I will siwtch to a gif-tunnel based approach for 
now just to get my project going. However, I am afraid that ALTQ
is not supported on gif pseudo-devices as it seems that ALTQ wants
to deal with things like DMA etc, i.e., real NIC hardware. You say,
ALTQifying gif should be relatively simple? Should I dare trying
it myself? I won't be getting away without kernel-hacking anyway,
since I can choose between ALTQifying the gif device or adding
TOS-based filtering into IPFW :-(

regards
-Gunther

-- 
Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
Medical Information Scientist      Regenstrief Institute for Health Care
Adjunct Assistent Professor        Indiana University School of Medicine
tel:1(317)630-7960                         http://aurora.regenstrief.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message