>Number:         17932
>Category:       kern
>Synopsis:       IPSEC needlessly disables IP fast-forwarding
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 13 11:46:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Jason R Thorpe
>Release:        NetBSD 1.6 and NetBSD 1.6F
>Organization:
Wasabi Systems, Inc.
>Environment:
	
	
System: NetBSD net4501.fast-100.shagadelic.org 1.6F NetBSD 1.6F (SHAG-NET4501) #62: Tue Aug 13 11:21:57 PDT 2002     thorpej@yeah-baby.shagadelic.org:/u1/netbsd/src/sys/arch/i386/compile/SHAG-NET4501 i386
Architecture: i386
Machine: i386
>Description:
	The presence of the IPSEC option disables IP fast-fowarding:

#ifdef IPSEC
        /* ipflow (IP fast forwarding) is not compatible with IPsec. */
        m->m_flags &= ~M_CANFASTFWD;
#else    
        /* 
         * Assume that we can create a fast-forward IP flow entry
         * based on this packet.
         */     
        m->m_flags |= M_CANFASTFWD;
#endif

>How-To-Repeat:
	Forward packets though a NetBSD-based router with the IPSEC
	option in the kernel.  Observe through "netstat -s" that no
	packets are fast-forwarded.  Take IPSEC out of the kernel,
	run the test again, and observe through "netstat -s" that
	packets are fast-forwarded.  Note the performance difference
	between the two under heavy load.

>Fix:
	The M_CANFASTFWD should only be cleared if IPsec processing is
	actually required, or rather if there is an IPsec SPD entry that
	covers the packet.  Note that the SPD-covers-packet check will
	have to be done using src/dst address only, since the fast-fowarding
	code does not check proto/port.
>Release-Note:
>Audit-Trail:
>Unformatted: