[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors

Michael Richardson mcr at xelerance.com
Thu Jan 10 09:38:46 EST 2008

Hash: SHA1

>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
    >> PFP = Populate From Packet.  The way to do this is to have the
    >> kernel send a copy of the header that caused the ACQUIRE along
    >> with the acquire, and then to latch the connection into a %hold.

    Herbert> Linux already copies all the packet headers into the SA
    Herbert> selector that's part of the ACQUIRE message.

  Yes, that's part of the problem.

  It might be that the SA should be created based upon things that
wasn't really known at the time, or isn't expressable in the kernel.
  IKEv2 permits multiple SAs with what appear to be identical selectors,
but they differ in other properties that only show up on the outside of
the packet.  Getting the whole packet lets implement more things.
  Originally, IKEv2 was actually going to transmit the header as part of
the SA create, because maybe it would mean something on the remote end.

    Herbert> We don't queue the packets but we do create a larval SA
    Herbert> which is not that different from KLIPS which IIRC just
    Herbert> drops the packets in %hold anyway.

  No, it queues two packets. (The first and last)
  This has significant performance benefits, and since it doesn't send
EAGAIN to the application, the application doesn't get a no-route-to-host.

    Herbert> What is missing is the code in pluto to create a wider
    Herbert> larval SA in response to the ACQUIRE message.  Without this
    Herbert> the same connection can end up triggering multiple ACQUIRE
    Herbert> messages, once for each flow.

  Yes, there was a discussion over a year ago about changing the per-X
policy.  This is what it is about.  Determining how detailed a tunnel
will result from a PFP.  

- -- 
]           Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]  Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
]mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
]panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list