tech-net: Re: Patch for Fast-IPsec over loopback

Subject: Re: Patch for Fast-IPsec over loopback
To: Sam Leffler <sam@errno.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 08/24/2003 10:59:53
In message <174103087.1061587218@melange.errno.com>Sam Leffler writes

[...]


>The reason these issues are coming up is because you must do special 
>processing when reusing mbufs that have tags associated with them to insure 
>the tags are not misinterpreted when/if the mbuf chain passes back through 
>the module that installed them.  When packets flow in the expected 
>direction (e.g. down to the interface) then the tags are reclaimed together 
>with the mbuf chain is reclaimed.  That if_loop re-uses mbufs and passes 
>them back up introduces issues.  The other known case is icmp input which 
>turns packets around to send a response.

The same issue comes up in other proprietary code, where some
in-kernel applications test whether or not ``this packet chain came in
via IPsec, and was IPsec-approved''. Currently done by checking for
IPSEC_DONE tags.



>That freebsd has "persistent tags" is not something that netbsd (currently) 
>needs to care about, but which we now have a model for.  Jonathan and I 
>were just working out a solution whereby he could accommodate our needs 
>without unnecessarily burdening netbsd.
>
>I haven't seen Angelos chime in here, but FWIW he has a BSDCon paper about 
>tags that echo's what I'm saying (or so I believe :)).


If I have understood Itojun's model correctly, then he's assuming that
all tags have a well-defined `producer' and a well-defined `consumer',
and that the `consumer' should remove tags.  

That doesn't work, for at least three reasons:

	1. sometime upstream code which is neither a producer nor
	   (really) a consumer wants to know what happened at a lowe layer.

	2. sometimes (special case of above) mbufs percolate to the
	  top of the protocol stack, and (as an optimization over allocating
	  brand-new mbufs) the inbound mbufs are modified  and sent back
	  down and out.  Here, we all agree the code using this
	  optimization should clear any tags.

      3.  Sometimes (diffeent special case of #1 tags may hit
	  an interface. the tags were put there on the assumption
	  that the interface would transmit the packet, then free
	  the packet along with its tags.

In #3, if such packets ever hit the loopback interface, the API is no
longer well-defined.