Subject: kern/17932: IPSEC needlessly disables IP fast-forwarding
To: None <>
From: None <>
List: netbsd-bugs
Date: 08/13/2002 11:45:04
>Number:         17932
>Category:       kern
>Synopsis:       IPSEC needlessly disables IP fast-forwarding
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 13 11:46:00 PDT 2002
>Originator:     Jason R Thorpe
>Release:        NetBSD 1.6 and NetBSD 1.6F
Wasabi Systems, Inc.
System: NetBSD 1.6F NetBSD 1.6F (SHAG-NET4501) #62: Tue Aug 13 11:21:57 PDT 2002 i386
Architecture: i386
Machine: i386
	The presence of the IPSEC option disables IP fast-fowarding:

#ifdef IPSEC
        /* ipflow (IP fast forwarding) is not compatible with IPsec. */
        m->m_flags &= ~M_CANFASTFWD;
         * Assume that we can create a fast-forward IP flow entry
         * based on this packet.
        m->m_flags |= M_CANFASTFWD;

	Forward packets though a NetBSD-based router with the IPSEC
	option in the kernel.  Observe through "netstat -s" that no
	packets are fast-forwarded.  Take IPSEC out of the kernel,
	run the test again, and observe through "netstat -s" that
	packets are fast-forwarded.  Note the performance difference
	between the two under heavy load.

	The M_CANFASTFWD should only be cleared if IPsec processing is
	actually required, or rather if there is an IPsec SPD entry that
	covers the packet.  Note that the SPD-covers-packet check will
	have to be done using src/dst address only, since the fast-fowarding
	code does not check proto/port.