[Openswan dev] Re: [Openswan Users]

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    Paul> The cards cannot and should not rewrite ipsec packets. Any
    Paul> change will break the authenticity of the packet. IPsec
    Paul> protects against packet rewriting, whether it is done by the
    Paul> good or the bad guys.
  
  It is possible that the flag in the SKB that says to do the offload is
not getting cleared by KLIPS.

    Paul> Note that I said "ipsec packets". I menat protocol 50 and
    Paul> 51. If we are talking about NAT-T poackets, eg ESPinUDP
    Paul> packets, then it should be possible to do hardware offloading
    Paul> of the outer UDP packet. What packets did you see this
    Paul> behaviour for?

  We set the UDP checksum to 0 on NAT-T packets. UDP checksum is a waste
of time, when we have the HMAC to authenticate the data.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBQ7wDGoCLcPvd0N1lAQLD/Qf+Pgz6kWmjFQ/CV5SpnTUkUkxXT9rd/PzM
/PQoElARSCeKPjzx069RC9tL4fF7A24I7PT5o10jbAmXXD7efKRG32ZfJutPUzxJ
qPjGV4U8phXJSoxwdXUjdQV4Ueo946RByTBrOiKd5kEogt3Otv9J6TJ/SNjrZWPh
dVhfOIctHP5bdNaPvyk6ooSiKu6CC8OPE1BIV2EGljscJ7B3iPQO3lOfEOdzNnvk
HZgJ7ryKmVoGDZ3sXHsPn9Jp0CwY5Ed32iesQyTC5aqfY5RvlQuZ2aJwZHJN2S15
L3PXDfHGv0wmjRU+76CEDiAB01DczZ04PZ/zGO4v956orpGvpxvmIQ==
=SJAq
-----END PGP SIGNATURE-----