FAST_IPSEC and tunnelled packets processing
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Tue Mar 7 18:02:31 UTC 2006
Hi all.
I'm playing with FAST_IPSEC, and noticed what looks strange for me:
I have an ESP/Tunnel configuration, and when I wanted to track packet
processing in the kernel, I noticed it goes 3 time in ip_input():
- ESP packet passes through ip_input(), and is sent to ipsec code.
- esp_input_cb() removes the ESP header and trailer, and sends it back
to ipsec_common_input_cb().
- ipsec_common_input_cb() sends it back to ip_input(), without ESP header,
but still with an IPIP header (IP addresses are tunnel endpoints).
- ip_input() will send it to "I don't know exactly where" (but I guess
it will go to ip_forward()), where the IPIP header will be removed
and.... yes, packet will be sent again to ip_input(), where it will
really be the inner packet.....
Is this a bug, a "missing feature", or something done this way for
"some good reason I don't see" ?
KAME's IPSEC stack removes both ESP header and IPIP header at the same
time (in esp4_input()/ipsec4_tunnel_validate()), the packet is only
seen twice by ip_input().
Yvan.
--
NETASQ - Secure Internet Connectivity
http://www.netasq.com
More information about the freebsd-net
mailing list