Subject: kern/17932: IPSEC needlessly disables IP fast-forwarding
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 08/13/2002 11:45:04
>Synopsis: IPSEC needlessly disables IP fast-forwarding
>Arrival-Date: Tue Aug 13 11:46:00 PDT 2002
>Originator: Jason R Thorpe
>Release: NetBSD 1.6 and NetBSD 1.6F
Wasabi Systems, Inc.
System: NetBSD net4501.fast-100.shagadelic.org 1.6F NetBSD 1.6F (SHAG-NET4501) #62: Tue Aug 13 11:21:57 PDT 2002 firstname.lastname@example.org:/u1/netbsd/src/sys/arch/i386/compile/SHAG-NET4501 i386
The presence of the IPSEC option disables IP fast-fowarding:
/* ipflow (IP fast forwarding) is not compatible with IPsec. */
m->m_flags &= ~M_CANFASTFWD;
* Assume that we can create a fast-forward IP flow entry
* based on this packet.
m->m_flags |= M_CANFASTFWD;
Forward packets though a NetBSD-based router with the IPSEC
option in the kernel. Observe through "netstat -s" that no
packets are fast-forwarded. Take IPSEC out of the kernel,
run the test again, and observe through "netstat -s" that
packets are fast-forwarded. Note the performance difference
between the two under heavy load.
The M_CANFASTFWD should only be cleared if IPsec processing is
actually required, or rather if there is an IPsec SPD entry that
covers the packet. Note that the SPD-covers-packet check will
have to be done using src/dst address only, since the fast-fowarding
code does not check proto/port.