[Openswan dev] Re: [Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jan 4 20:14:00 CET 2006

On Wed, 4 Jan 2006, Michael Richardson wrote:

>     Paul> The cards cannot and should not rewrite ipsec packets. Any
>     Paul> change will break the authenticity of the packet. IPsec
>     Paul> protects against packet rewriting, whether it is done by the
>     Paul> good or the bad guys.
>   It is possible that the flag in the SKB that says to do the offload is
> not getting cleared by KLIPS.

Ok, added this pointer to a bug report to make sure.

>     Paul> Note that I said "ipsec packets". I menat protocol 50 and
>     Paul> 51. If we are talking about NAT-T poackets, eg ESPinUDP
>     Paul> packets, then it should be possible to do hardware offloading
>     Paul> of the outer UDP packet. What packets did you see this
>     Paul> behaviour for?
>   We set the UDP checksum to 0 on NAT-T packets. UDP checksum is a waste
> of time, when we have the HMAC to authenticate the data.

but doesn't that make the packet 'invalid' to any router that might check
the checksum? What do the RFCs say? When should you do checksum verification?

Or did you mean klips sets it to 0, and its up to the kernel to fill it in before


More information about the Dev mailing list