Re: KAME IPsec vs Fast IPsec

[Arnaud Degroote <degroote%netbsd.org@localhost>]

> I want to know the plan of the extension header support in fast IPsec  
> too.
> 
> I'm working on Mobile IPv6 that uses extension header and IPsec same  
> time.  The missing extension header support in one of the reason for  
> me that I cannot move from KAME IPsec to fast IPsec.

Itojun has added some patches in feb 2007 to better support extension
header. There are still some problems, particulary the hbh extensions is
not correctly computed with this code.

The problem comes from the strategy of fast_ipsec. We do something like
that : 
  - ip6_ouput begins to prepend headers and extension headers if
    necessary
  - ipsec6_process_packet is called
  - when the fast_ipsec has finished its jobs, it reinjects the packet
    in the stack using ip6_output with a NULL context for ip6_pkopts and
ip6_moptions (which is correct in "tunnel case", but not in the case of
"transport mode" where we still need to threat some extension headers)

Consequences : all the threatement about extension header after ipsec
processing is not done (in particular bhb extension).

I think that we need to split ip6_output in two functions, and save the
full context of ip6 processing along the ip6_ouput1 ->
ipsec6_process_packet -> ip6_output2 if we want to have a 100% correct
behaviour. But I fear that it can be a performance killer and we have to
deal with tons of informations to pass in the different context.

Moreover, I don't have anymore ipv6 connection so it is hard to test
(only virtual things on my virtual qemu network).
-- 
Arnaud Degroote
degroote%netbsd.org@localhost