From owner-freebsd-questions  Thu Mar  8  6:51:40 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from roura.ac.upc.es (roura.ac.upc.es [147.83.33.10])
	by hub.freebsd.org (Postfix) with ESMTP id CB48E37B718
	for <questions@freebsd.org>; Thu,  8 Mar 2001 06:51:35 -0800 (PST)
	(envelope-from oscar@ac.upc.es)
Received: from ac.upc.es (fonoll.ac.upc.es [147.83.32.14])
	by roura.ac.upc.es (8.11.0/8.11.0) with ESMTP id f28EpWA04568
	for <questions@freebsd.org>; Thu, 8 Mar 2001 15:51:32 +0100 (MET)
Message-ID: <3AA79C74.541144B@ac.upc.es>
Date: Thu, 08 Mar 2001 15:51:32 +0100
From: Oscar-Ivan Lepe-Aldama <oscar@ac.upc.es>
Organization: DAC/UPC
X-Mailer: Mozilla 4.76 [en] (X11; U; SunOS 5.7 sun4u)
X-Accept-Language: es, en
MIME-Version: 1.0
To: questions@freebsd.org
Subject: IPSec implementation details?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi!
I'm interested in some implementation details about IPSec for FreeBSD.
Would someone know the answers or know any document where I could read
about the following doubts?
I would like to understand how the code deals with packets coming out of
a
bundled SA tunnel. For instance, a packet with the following sequence of
headers: [IP2][AH][ESP][IP][upper], where IP refers to IPv4.
From what I have read I understand the following. Such a packet is
placed at ipintrq where ip_input() reads it and after settling it is
"ours", and some other checks, it calls ah4_input(). Here, if the packet
is o.k., there are two cases depending on some checking done by
ipsec4_tunnel_validate(). I believe (but I'm not sure) I have the first
case clear; that is, the packet is stripped off all headers preceding
AH,
including AH itself, and then is returned to ipintrq and a software
interrupt
is raised. But I believe this case IS_NOT the case for the packet I
described (I am right?).

Contrarily, I'm confused with the second case, which I believe is the
case for the packet I described. Some comment on the code says that in
this case the AH header is removed from the packet and, after some more
checks, the packet is handled to "the appropriate" protocol through the
call (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt). But what does this
means? And what is the appropriate (nxt) protocol?

That [IP2][AH][ESP][IP][upper] -> [IP2][ESP][IP][upper] and nxt = IP, or
that [IP2][AH][ESP][IP][upper] -> [ESP][IP][upper] and nxt = ESP.

And my confusion is sourced at my intuition that the second case should
be the correct one, as the packet has already pass IP2 processing. But
some debugging info I have collected reveals that the case implemented
is the first one., so IP2 processing is repeated. Why is this need it?

TIA.

-- 
========================================================================
 0 0 0  Oscar-Ivan Lepe-Aldama     |     UPC-Campus Nord, DAC
 0 0 0  e-mail: oscar@ac.upc.es    |     Modul D6, despatx 116
 0 0 0  phone:  +34 93 401 7187    |     Jordi Girona, 1-3
 U P C  fax:    +34 93 401 7055    |     08034 Barcelona - SPAIN
        WWW:    http://www.ac.upc.es/homes/oscar/
========================================================================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message