Subject: fast_ipsec and ipv6 : next step
To: None <tech-net@netbsd.org>
From: DEGROOTE Arnaud <degroote@enseirb.fr>
List: tech-net
Date: 10/16/2006 21:28:51
Hi everyone

I continue my work on the fast_ipsec implementation for ipv6. To 
understand my problem, I give a little overview of fast_ipsec processing of
a ipv6 packet.

ip6_output
     create exthdr if necessary
     check policy
     split the header if it is necessary
     check about jumbo frame
     chain exthdr if necessary
     play with routing extension header if necessary
     ipsec6_process_packet if necessary ( in this case, the job is finished
for this call )

     lots of other stuff if we don't process the packet


     ipsec_process_packet will encrypt the packet using opencrypto when the
     process is done, the packet is reinjected in ip6_output with dummy
     argument.

The approch is ok for basic packet ( without extension headers, no mobility
options, etc ... ). In other case, it isn't correct. Calling ip6_output 
with the good argument is not really hard, I can just add a callback
parameter to ipsec6_process_packet.

The question is how to handle the second call to ip6_output. If we just 
call ip6_output, exthdr will be processed two times and the packet will be
incorrect. I see two possible options and I want your opinions about it :
        - cut ip6_output in two functions : the first before the ipsec 
          processing, the secund is after the ipsec processing. In the case
          where there is no ipsec, the penalty is just an extra function 
          call

        - add a possible flag IPV6_REENTRANT. If this flag is set, we 
          skip all the exthdr processing before ipsec processing.

In both case, I will write a function which can retrieve exthdr from a 
mbuf, so when we come back in ip6_output, I can retrieve the exthdrs if 
there are any.

Can you comment this ideas or give me some better ideas. I will listen for
any solution. Thanks a lot for your help. 

PS : please CC me on reply

-- 
Degroote Arnaud
ENSEIRB Informatique
degroote@enseirb.fr