Subject: Re: IPsec policy cache hint
To: Jun-ichiro itojun Hagino <>
From: Jason Thorpe <>
List: tech-net
Date: 02/28/2004 08:04:18
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed

On Feb 28, 2004, at 4:25 AM, Jun-ichiro itojun Hagino wrote:

> 	i'm a bit confused (or i do not understand your situation correctly).
> 	i'm assuming that you are talking about a listening socket, am i
> 	correct? (if it is a client socket, you have the whole info to be
> 	filled into IP header on connect(2))

No, not talking about a listening socket.

Let's assume a fully set-up TCP connection for the sake of this example.

I need to *quickly* determine, in tcp_output(), whether or not the 
connection requires IPsec processing.  But even 
ipsec4_getpolicybysock() requires that the packet be fully formed (with 
IP header in place, etc.).  In my particular application, I need to 
make this determination in order to decide the length of the TCP 
segment I am going to send, so I can't even ask the question "does this 
require IPsec processing?".  What I'm basically looking for from this 
patch is:

	* First TCP segment will go out assuming that the connection does
	  require IPsec processing.  (Or whenever the SPD changes.)

	* As that segment goes through ip_output(), the hint will be updated
	  to reflect "requires IPsec processing" or "does not require IPsec

	* For subsequent TCP segments, then I can quickly see that a
	  connection does not require IPsec processing.

Does that make sense?

Also, ipsec4_getpolicybysock() performs a bunch of tests internally, 
and then requires me to check for one of two values that both mean "no 
IPsec processing required".  What I effectively want to do is cache 
part of the result of ipsec4_getpolicybysock() so that:

	1. The test in tcp_output() is faster (important if you want to
	   support IPsec on maybe just one or two connections and then
	   run at Gig-E line rate on a few others).

	2. A redundant test doesn't have to be made each time through

The short-circuit in ip_output() is really a side-effect, but a 
beneficial one that can shave some cycles, even when the policy is 
cached.  Consider this just an extension of the cache that is already 
implemented that can shave some cycles.

         -- Jason R. Thorpe <>

content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

Version: GnuPG v1.2.3 (Darwin)