tech-net: Re: Splitting ip{,6}

Subject: Re: Splitting ip{,6}_output
To: jonathan <jonathan@dsg.stanford.edu>
From: degroote.netbsd <degroote.netbsd@laposte.net>
List: tech-net
Date: 03/03/2007 01:14:21
> In message <20070302224604.GA23060@NetBSD.org>DEGROOTE
Arnaud writes
> >
> >--+QahgC5+KEYLbs62
> >Content-Type: text/plain; charset=3Dus-ascii
> >Content-Disposition: inline
> >
> >In order to better integrate the fast_ipsec with our
ipv{4,6} processing,
> >we need to make some changes to the current way to deal in
the output
> >processing. Currently, we do something like that
> >
> >ip6_output calls ipsec6_process_packet which process the ipsec
> >transformation on an asynchronous way. When it has finished,
> >ipsec_process_done is called and the packet is reinjected
in ip6_output
> >with dummy arguments.
> >
> >There is two problems here :
> >    - we lose the current argument of ip6_output ( all the
options in
> >	  particulary )
> >    - we process some things that we already have processed
on the first
> >	 pass
> >
> >The situation is quite the same on the v4 side, maybe worse
because when we
> >call ipsec4_process_packet, we have already process most of
the ip_output
> >function.
> 
> But for tunnel mode, don't we *want* to redo all  that work?
> ("need to" might be more accurate.)

I understand what you mean. I think in fact we don't need to
redo all the work. Kame ipsec doesn't do it and I think it is
safe. On V6 side, we do the ipsec transformation very quickly,
so if we don't reenter directly in ip6_output, we just miss
the creation of extension headers ( a thing we must not do on
tunnel mode ). So in v6 side, it is quite clear it is safe to
reenter only into ip6_output2.

On v4 side, it is maybe a bit less clear but we can assume
that the ipsec code has added a valid ipv4 header. We only
must check if we can join dst with the route stored in the SA.
This test can be easily done before reentring in ip_output2. 

Splitting the stack for the v4 side is not an absolute need,
it would be better to have two parts from the point of view of
fast_ipsec but if someone think that it is required to replay
all the ip output stack, I can let the netinet code in the
current state.=0A=0AEnvoyez vos cartes de voeux depuis www.laposte.net 
Elles seront ensuite distribu=E9es par le facteur : pratique et malin !