Hi!
I was reading DESIGN and lib/flow.c to try and better understand the
behavior of Open vSwitch vis-a-vis IPsec authentication headers. It
looks like IPsec Authentication Headers are basically ignored on IPv6
packets when populating the 'flow' struct. As such, it would be possible
to match against, for example, TCP src/dst ports in a packet with
headers (IPv6, AH, TCP).
Couple of questions:
1) Is my understanding correct?
(Assuming it is...)
2) Is it possible to similarly ignore (transport-mode) AH in IPv4
packets, or does the presence of an AH preclude matching against L4 ports?
3) Can the current behavior be reconciled with OF 1.3's IPv6 extension
header handling, or will implementing that necessitate a breaking change?
Thanks!
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
