tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec: stack problems

On Thu, Mar 01, 2018 at 07:31:13AM +0100, Maxime Villard wrote:
> I'm a little concerned about the stack usage in the IPsec code. Note that what
> I'm talking about here occurs _after_ authentication.

I think that is a known design issue of the IPsec code. FreeBSD has been
talking about similar issues for years, too.

> Typically, when an IPv4-AH packet is received, the code path is:
> 	ip_input
> 	(*pr_input) = ipsec_common_input
> 	ah_input
> 	crypto_dispatch
> 	[several crypto functions are called]
> 	ah_input_cb
> 	ipsec4_common_input_cb
> 	(*pr_input) = depends on the packet

I wonder if the best appoach wouldn't be to cut the stack at this point
and defer the packet back to a netisr.


Home | Main Index | Thread Index | Old Index