[Openswan dev] Openswan on uClinux

Herbert Xu herbert at gondor.apana.org.au
Tue Dec 18 20:21:18 EST 2007


On Tue, Dec 18, 2007 at 02:42:13PM -0500, Venkat Yekkirala wrote:
>
> Actually even on NETKEY all xfrms should be applied BEFORE the
> packet ends up in ip_finish_output->ip_fragment, so frag/reassembly
> should be happening transparently (like they should). So, fragments
> shouldn't be going out in the clear. Is there a scenario where
> this isn't true?

You're absolutely corerct.  I suspect what the original poster
was seeing is the fact that tcpdump on the receiver picks up
both the original encrypted packet and the decrypted packet which
is fed through the whole networking stack again.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Dev mailing list