Subject: typos in www.netbsd.org/Documentation/network/ipsec/
To: None <netbsd-docs@netbsd.org>
From: David Waitzman <djw@bbn.com>
List: netbsd-docs
Date: 05/24/2002 12:03:27
I think that the following picture, in "Interaction with ipfilter" section in
the "NetBSD IPsec" doc is somewhat wrong:
inbound processing:
userland programs IKE daemon
^ AF_INET{,6} socket ^ | PF_KEY socket
========= | ============================= | | ======== Kernel/user
boundary
| | v
transport layer, TCP/UDP key management table
^ ^ | key information
| | |
| | v
+-----IP input/output logic <-------> AH/ESP/IPcomp logic
v ^ ^ |
tunnel | +----------------------+ decapsulated IPsec packets
devices |
| ipfilter rules
| ^
+------>|
|
Network drivers (ethernet)
outbound processing:
userland programs IKE daemon
| AF_INET{,6} socket ^ | PF_KEY socket
=========== | =========================== | | ======== Kernel/user
boundary
v | v
transport layer, TCP/UDP key management table
| ^ | key information
| | |
v | v
+---->IP input/output logic <-------> AH/ESP/IPcomp logic
| | (incl. IPsec tunnel
encapsulation)
tunnel |
devices |
| ipfilter rules
| |
+---------+
v
Network drivers (ethernet)I
I would correct it to:
inbound processing:
userland programs IKE daemon
^ AF_INET{,6} socket ^ | PF_KEY socket
========= | ============================= | | ======== Kernel/user
boundary
| | v
transport layer, TCP/UDP key management table
^ ^ | key information
| | |
| | v
+-----IP input logic ---------------> AH/ESP/IPcomp logic
v ^ ^ |
tunnel | +----------------------+ decapsulated IPsec packets
devices |
| ipfilter rules
| ^
+------>|
|
Network drivers (ethernet)
outbound processing:
userland programs IKE daemon
| AF_INET{,6} socket ^ | PF_KEY socket
=========== | =========================== | | ======== Kernel/user
boundary
v | v
transport layer, TCP/UDP key management table
| ^ | key information
| | |
v | v
+---->IP output logic -------------> AH/ESP/IPcomp logic
| | ^ | incl. IPsec tunnel
encapsulation)
tunnel | +----------------------+ encapsulated IPsec
packets
devices |
| ipfilter rules
| |
+---------+
v
Network drivers (ethernet)I
**************************************
Which is to say, there are problems around the following two sections:
+-----IP input logic ---------------> AH/ESP/IPcomp logic
v ^ ^ |
tunnel | +----------------------+ decapsulated IPsec packets
and
+---->IP output logic -------------> AH/ESP/IPcomp logic
| | ^ | incl. IPsec tunnel
encapsulation)
tunnel | +----------------------+ encapsulated IPsec
packets
devices |
--
-david waitzman
BBN Technologies