Subject: fast_ipsec and ipv6 : next step
To: None <tech-net@netbsd.org>
From: DEGROOTE Arnaud <degroote@enseirb.fr>
List: tech-net
Date: 10/16/2006 21:28:51
Hi everyone
I continue my work on the fast_ipsec implementation for ipv6. To
understand my problem, I give a little overview of fast_ipsec processing of
a ipv6 packet.
ip6_output
create exthdr if necessary
check policy
split the header if it is necessary
check about jumbo frame
chain exthdr if necessary
play with routing extension header if necessary
ipsec6_process_packet if necessary ( in this case, the job is finished
for this call )
lots of other stuff if we don't process the packet
ipsec_process_packet will encrypt the packet using opencrypto when the
process is done, the packet is reinjected in ip6_output with dummy
argument.
The approch is ok for basic packet ( without extension headers, no mobility
options, etc ... ). In other case, it isn't correct. Calling ip6_output
with the good argument is not really hard, I can just add a callback
parameter to ipsec6_process_packet.
The question is how to handle the second call to ip6_output. If we just
call ip6_output, exthdr will be processed two times and the packet will be
incorrect. I see two possible options and I want your opinions about it :
- cut ip6_output in two functions : the first before the ipsec
processing, the secund is after the ipsec processing. In the case
where there is no ipsec, the penalty is just an extra function
call
- add a possible flag IPV6_REENTRANT. If this flag is set, we
skip all the exthdr processing before ipsec processing.
In both case, I will write a function which can retrieve exthdr from a
mbuf, so when we come back in ip6_output, I can retrieve the exthdrs if
there are any.
Can you comment this ideas or give me some better ideas. I will listen for
any solution. Thanks a lot for your help.
PS : please CC me on reply
--
Degroote Arnaud
ENSEIRB Informatique
degroote@enseirb.fr