Date: Thu, 08 Mar 2001 15:51:32 +0100 From: Oscar-Ivan Lepe-Aldama <oscar@ac.upc.es> To: questions@freebsd.org Subject: IPSec implementation details? Message-ID: <3AA79C74.541144B@ac.upc.es>
next in thread | raw e-mail | index | archive | help
Hi! I'm interested in some implementation details about IPSec for FreeBSD. Would someone know the answers or know any document where I could read about the following doubts? I would like to understand how the code deals with packets coming out of a bundled SA tunnel. For instance, a packet with the following sequence of headers: [IP2][AH][ESP][IP][upper], where IP refers to IPv4. From what I have read I understand the following. Such a packet is placed at ipintrq where ip_input() reads it and after settling it is "ours", and some other checks, it calls ah4_input(). Here, if the packet is o.k., there are two cases depending on some checking done by ipsec4_tunnel_validate(). I believe (but I'm not sure) I have the first case clear; that is, the packet is stripped off all headers preceding AH, including AH itself, and then is returned to ipintrq and a software interrupt is raised. But I believe this case IS_NOT the case for the packet I described (I am right?). Contrarily, I'm confused with the second case, which I believe is the case for the packet I described. Some comment on the code says that in this case the AH header is removed from the packet and, after some more checks, the packet is handled to "the appropriate" protocol through the call (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt). But what does this means? And what is the appropriate (nxt) protocol? That [IP2][AH][ESP][IP][upper] -> [IP2][ESP][IP][upper] and nxt = IP, or that [IP2][AH][ESP][IP][upper] -> [ESP][IP][upper] and nxt = ESP. And my confusion is sourced at my intuition that the second case should be the correct one, as the packet has already pass IP2 processing. But some debugging info I have collected reveals that the case implemented is the first one., so IP2 processing is repeated. Why is this need it? TIA. -- ======================================================================== 0 0 0 Oscar-Ivan Lepe-Aldama | UPC-Campus Nord, DAC 0 0 0 e-mail: oscar@ac.upc.es | Modul D6, despatx 116 0 0 0 phone: +34 93 401 7187 | Jordi Girona, 1-3 U P C fax: +34 93 401 7055 | 08034 Barcelona - SPAIN WWW: http://www.ac.upc.es/homes/oscar/ ======================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AA79C74.541144B>