From owner-freebsd-net@FreeBSD.ORG  Tue Mar  7 18:02:31 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53A7C16A420
	for <freebsd-net@freebsd.org>; Tue,  7 Mar 2006 18:02:31 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C7FE743D8A
	for <freebsd-net@freebsd.org>; Tue,  7 Mar 2006 18:02:30 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k27I2SXD031534
	for <freebsd-net@freebsd.org>; Tue, 7 Mar 2006 19:02:28 +0100
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id EAA753F17; Tue,  7 Mar 2006 19:02:22 +0100 (CET)
Date: Tue, 7 Mar 2006 19:02:22 +0100
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060307180222.GA1308@zen.inc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: All mail clients suck. This one just sucks less.
Subject: FAST_IPSEC and tunnelled packets processing
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2006 18:02:31 -0000

Hi all.

I'm playing with FAST_IPSEC, and noticed what looks strange for me:

I have an ESP/Tunnel configuration, and when I wanted to track packet
processing in the kernel, I noticed it goes 3 time in ip_input():

- ESP packet passes through ip_input(), and is sent to ipsec code.

- esp_input_cb() removes the ESP header and trailer, and sends it back
  to ipsec_common_input_cb().

- ipsec_common_input_cb() sends it back to ip_input(), without ESP header,
  but still with an IPIP header (IP addresses are tunnel endpoints).

- ip_input() will send it to "I don't know exactly where" (but I guess
  it will go to ip_forward()), where the IPIP header will be removed
  and.... yes, packet will be sent again to ip_input(), where it will
  really be the inner packet.....

Is this a bug, a "missing feature", or something done this way for
"some good reason I don't see" ?

KAME's IPSEC stack removes both ESP header and IPIP header at the same
time (in esp4_input()/ipsec4_tunnel_validate()), the packet is only
seen twice by ip_input().



Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com