Hi all. I'm playing with FAST_IPSEC, and noticed what looks strange for me:
I have an ESP/Tunnel configuration, and when I wanted to track packet processing in the kernel, I noticed it goes 3 time in ip_input(): - ESP packet passes through ip_input(), and is sent to ipsec code. - esp_input_cb() removes the ESP header and trailer, and sends it back to ipsec_common_input_cb(). - ipsec_common_input_cb() sends it back to ip_input(), without ESP header, but still with an IPIP header (IP addresses are tunnel endpoints). - ip_input() will send it to "I don't know exactly where" (but I guess it will go to ip_forward()), where the IPIP header will be removed and.... yes, packet will be sent again to ip_input(), where it will really be the inner packet..... Is this a bug, a "missing feature", or something done this way for "some good reason I don't see" ? KAME's IPSEC stack removes both ESP header and IPIP header at the same time (in esp4_input()/ipsec4_tunnel_validate()), the packet is only seen twice by ip_input(). Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
