Subject: Re: IPsec policy cache hint
To: None <firstname.lastname@example.org>
From: Jun-ichiro itojun Hagino <email@example.com>
Date: 02/29/2004 04:38:41
> > i'm a bit confused (or i do not understand your situation correctly).
> > i'm assuming that you are talking about a listening socket, am i
> > correct? (if it is a client socket, you have the whole info to be
> > filled into IP header on connect(2))
> No, not talking about a listening socket.
> Let's assume a fully set-up TCP connection for the sake of this example.
> I need to *quickly* determine, in tcp_output(), whether or not the
> connection requires IPsec processing. But even
> ipsec4_getpolicybysock() requires that the packet be fully formed (with
> IP header in place, etc.). In my particular application, I need to
> make this determination in order to decide the length of the TCP
> segment I am going to send, so I can't even ask the question "does this
> require IPsec processing?". What I'm basically looking for from this
> patch is:
> * First TCP segment will go out assuming that the connection does
> require IPsec processing. (Or whenever the SPD changes.)
> * As that segment goes through ip_output(), the hint will be updated
> to reflect "requires IPsec processing" or "does not require IPsec
> * For subsequent TCP segments, then I can quickly see that a
> connection does not require IPsec processing.
> Does that make sense?
now i see what your patch is about, thanks. i may be able to test it
this week (if i can find some time during IETF... unlikely?).