From owner-freebsd-net@FreeBSD.ORG Fri Jun 29 01:00:29 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 58AA816A421 for ; Fri, 29 Jun 2007 01:00:29 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66]) by mx1.freebsd.org (Postfix) with ESMTP id 02A3C13C457 for ; Fri, 29 Jun 2007 01:00:28 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zyfb01-66.zyxel.com.tw with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Jun 2007 09:00:26 +0800 Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Jun 2007 09:00:26 +0800 Received: from [172.23.17.155] ([172.23.17.155]) by zytwfe01.ZyXEL.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 29 Jun 2007 09:00:26 +0800 Message-ID: <468459B2.3060601@zyxel.com.tw> Date: Fri, 29 Jun 2007 09:00:34 +0800 From: blue User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Jun 2007 01:00:26.0318 (UTC) FILETIME=[E11576E0:01C7B9E8] Subject: Some implementation problems about IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jun 2007 01:00:29 -0000 Dear all: I am tracing the codes for the implementation for IPsec recently. I have two problems here about the implementation: 1. In ip6_input.c, before handing the packet to the next protocol handler after processing of IPv6 headers, #ifdef IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { ipsec6stat.in_polvio++; goto bad; } #endif Why needs to do ipsec6_in_reject() here for some specific "LASTHDER" protocols, such as icmp? Why not all the packets need the check? 2. What is the real meaning for the flags M_AUTHIPHDR, M_AUTHIPDGM, and M_DECRYPTED? At the beginning, I thought the mbuf carrying either one of the flags would represent it had processed by IPsec stack. However, in KAME implementation, ah_input and ah6_input will unset the flag after an AH tunneled packet has been passed the authentication. While ESP is the case, once M_DECRYPTED flag is set, it would never be unset. On the other hand, in FAST_IPSEC, which is another different IPsec implementation on FreeBSD, the flags are never unset, and also another flag named M_IPSEC is defined as M_AUTHIPHDR | M_AUTHIPDGM | M_DECRYPTED. I am confused by the inconsistent usage..... Many Thanks. Susan