Subject: Re: IPsec policy cache hint
To: Jun-ichiro itojun Hagino <email@example.com>
From: Jason Thorpe <firstname.lastname@example.org>
Date: 02/28/2004 08:04:18
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Feb 28, 2004, at 4:25 AM, Jun-ichiro itojun Hagino wrote:
> i'm a bit confused (or i do not understand your situation correctly).
> i'm assuming that you are talking about a listening socket, am i
> correct? (if it is a client socket, you have the whole info to be
> filled into IP header on connect(2))
No, not talking about a listening socket.
Let's assume a fully set-up TCP connection for the sake of this example.
I need to *quickly* determine, in tcp_output(), whether or not the
connection requires IPsec processing. But even
ipsec4_getpolicybysock() requires that the packet be fully formed (with
IP header in place, etc.). In my particular application, I need to
make this determination in order to decide the length of the TCP
segment I am going to send, so I can't even ask the question "does this
require IPsec processing?". What I'm basically looking for from this
* First TCP segment will go out assuming that the connection does
require IPsec processing. (Or whenever the SPD changes.)
* As that segment goes through ip_output(), the hint will be updated
to reflect "requires IPsec processing" or "does not require IPsec
* For subsequent TCP segments, then I can quickly see that a
connection does not require IPsec processing.
Does that make sense?
Also, ipsec4_getpolicybysock() performs a bunch of tests internally,
and then requires me to check for one of two values that both mean "no
IPsec processing required". What I effectively want to do is cache
part of the result of ipsec4_getpolicybysock() so that:
1. The test in tcp_output() is faster (important if you want to
support IPsec on maybe just one or two connections and then
run at Gig-E line rate on a few others).
2. A redundant test doesn't have to be made each time through
The short-circuit in ip_output() is really a side-effect, but a
beneficial one that can shave some cycles, even when the policy is
cached. Consider this just an extension of the cache that is already
implemented that can shave some cycles.
-- Jason R. Thorpe <email@example.com>
content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----