[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors
Michael Richardson
mcr at xelerance.com
Thu Jan 10 09:38:46 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
>> PFP = Populate From Packet. The way to do this is to have the
>> kernel send a copy of the header that caused the ACQUIRE along
>> with the acquire, and then to latch the connection into a %hold.
Herbert> Linux already copies all the packet headers into the SA
Herbert> selector that's part of the ACQUIRE message.
Yes, that's part of the problem.
It might be that the SA should be created based upon things that
wasn't really known at the time, or isn't expressable in the kernel.
IKEv2 permits multiple SAs with what appear to be identical selectors,
but they differ in other properties that only show up on the outside of
the packet. Getting the whole packet lets implement more things.
Originally, IKEv2 was actually going to transmit the header as part of
the SA create, because maybe it would mean something on the remote end.
Herbert> We don't queue the packets but we do create a larval SA
Herbert> which is not that different from KLIPS which IIRC just
Herbert> drops the packets in %hold anyway.
No, it queues two packets. (The first and last)
This has significant performance benefits, and since it doesn't send
EAGAIN to the application, the application doesn't get a no-route-to-host.
Herbert> What is missing is the code in pluto to create a wider
Herbert> larval SA in response to the ACQUIRE message. Without this
Herbert> the same connection can end up triggering multiple ACQUIRE
Herbert> messages, once for each flow.
Yes, there was a discussion over a year ago about changing the per-X
policy. This is what it is about. Determining how detailed a tunnel
will result from a PFP.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
]mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
]panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBR4Yt9YCLcPvd0N1lAQL/JQf/bh2CANiLN37KiIVr7fZkebByNkzbTUkv
NMT/9Q0XJPWkjjlHM1ve2rHtZebBpi47wFplUb2aXfVeFRN6V8XzjYjydHVS9f2+
r+by4Ki9vfp6gFT3Z39yuSOxu2G8WSuJ9nQrpjuEGk+qiTZeFpzj38DhXOt6K88+
44obBkaTKRBGnIww0zmnw85CIYH3iyex8uoPqXbe+9p21bae5nUGoI75hzIQDAn7
Q9Ww5eNTYRb2nxGPqzQ54wxxQNNTExpbNUjezn2x1BHJVRtZ1UcUuuk2k/qy/F8U
NfOxusrEXomXjAxZMfcEbjWAacrQS7HQwmnR3Lym6NZMd48yHFrOng==
=TsIy
-----END PGP SIGNATURE-----
More information about the Dev
mailing list