On Thu, Feb 7, 2013 at 3:23 PM, Saul St. John <sstj...@cs.wisc.edu> wrote: > Hi! > > I was reading DESIGN and lib/flow.c to try and better understand the > behavior of Open vSwitch vis-a-vis IPsec authentication headers. It looks > like IPsec Authentication Headers are basically ignored on IPv6 packets when > populating the 'flow' struct. As such, it would be possible to match > against, for example, TCP src/dst ports in a packet with headers (IPv6, AH, > TCP). > > Couple of questions: > > 1) Is my understanding correct? > > (Assuming it is...)
Yes, that looks right. > 2) Is it possible to similarly ignore (transport-mode) AH in IPv4 packets, > or does the presence of an AH preclude matching against L4 ports? It should be possible although the case for it is less clear since with IPv6 the extension headers are part of the L3 header, where as in IPv4 they are acting like an L4 header. As a result, if we went down this path and started adding protocols to skip it would change behavior over time. > 3) Can the current behavior be reconciled with OF 1.3's IPv6 extension > header handling, or will implementing that necessitate a breaking change? I don't think it is a problem to add support for OpenFlow's extension header support since that essentially appears as a extra field that is a mask of the headers skipped. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
