Dear all:
In line 814 to line 843 in esp6_ctlinput(),
if (cmd == PRC_MSGSIZE) {
struct secasvar *sav;
u_int32_t spi;
int valid;
/* check header length before using m_copydata */
if (m->m_pkthdr.len < off + sizeof (struct esp))
ct route_in6, which could
accommodate both IPv4 and IPv6 address.
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
If the above condition is accpeted, then key_delsp() in key.c should not
call KEY_FREESAV() in case SA reference count underflow!
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, s
Sorry, maybe my words make you confused.
What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which
is currently IPSEC in FreeBSD-7.0.
BR,
Yi-Wen
Bjoern A. Zeeb wrote:
On Wed, 1 Aug 2007, blue wrote:
Hi,
Dear all:
I do not know the purpose of the following co
Dear all:
Recently I am tracing the codes of ip6_forward(), which is defined in
ip6_forward.c. My referenced version is FreeBSD Release 6.1. I have the
following questions about IPsec operations:
(1) lines 489-512 are about the transmission of ICMP Packet Too Big
message. Is it necessary her
ern A. Zeeb wrote:
On Tue, 28 Aug 2007, blue wrote:
Hi,
Since our device adopts the IPsec codes from BSD, our device will
have infinite loop after receiving ICMP packet too big message.
I am not sure whether BSD itself will have the problem or not (maybe
needs further testing). In
cause of the infinite loop.
Best regards,
Yi-Wen
JINMEI Tatuya / wrote:
At Tue, 28 Aug 2007 10:15:31 +0800,
blue <[EMAIL PROTECTED]> wrote:
When receiving a "packet too big" ICMP error message, FreeBSD will call
the ctlinput() function of the upper protocol. If the
Dear all:
When receiving a "packet too big" ICMP error message, FreeBSD will call
the ctlinput() function of the upper protocol. If the preceding packet
is an ESP IPv6 packet, then FreeBSD will call esp6_ctlinput(). In
esp6_ctlinput(), pfctlinput2() will be executed to traverse all possible
JINMEI Tatuya / wrote:
At Fri, 10 Aug 2007 13:45:46 +0800,
blue <[EMAIL PROTECTED]> wrote:
Although DNS resolver may lead to some delay or misbehavior of the upper
application, I think that would be caller's resposibility to decide
which result it would like to use. I am
Max Laier wrote:
On Friday 10 August 2007, JINMEI Tatuya / 神明達哉 wrote:
At Fri, 10 Aug 2007 11:52:09 +0800,
blue <[EMAIL PROTECTED]> wrote:
When looking into kame-20070801-freebsd54-snap, the function,
_dns_getaddrinfo(), defined in getaddrinfo.c, will check if the
device ge
Dear all:
When looking into kame-20070801-freebsd54-snap, the function,
_dns_getaddrinfo(), defined in getaddrinfo.c, will check if the device
gets any IPv4/global IPv6 address before sending out any A/ query by
calling addrconfig() if the user does not specify the family type
(AF_UNSPEC)
Dear all:
I do not know the purpose of the following codes in the very beginning
in ip6_input():
#ifdef IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
*/
if (m) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
[EMAIL PROTECTED] wrote:
At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
Hi, all:
Recently I found the behavior for the command "setkey -FP" is quite
different for the latest version IPsec (known as FAST_IPSEC before).
Before the command would erase all the existed SP entries;
:yy::zz
inet6 11:22:33:44::11 --> 55:66:77:88::55 netmask 0x
But currently I could not succeed in making the inner addresses.
Eric F Crist wrote:
On Jul 26, 2007, at 8:11 PMJul 26, 2007, blue wrote:
Dear all:
I want to set up the gif tunnel for IPv6 IPsec as the F
Dear all:
I want to set up the gif tunnel for IPv6 IPsec as the Freebsd Handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
"VPN over IPsec" suggested for IPv4. However, I could not configure the
local IP address via
"ifconfig gif0 inet6 address>", ifconfig will compl
its status. On
the other hand, SA is like usual, once the "setkey -F" is typed in, the
SA entries will be erased right away.
Thanks.
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To un
l. However, ipsec_set_policy() is used only for SP, not SA.
blue
aditya kiran wrote:
Hi,
I was just trying to understand PF_KEY interface for ipsec settings. So,
setkey uses it to do that. but i could find another system call -
ipsec_set_policy. Could any body let me know why there are two
int
Hi,
What is the main enhancement for the commit?
Tracing back the discussion, It is all about NAT-T?
How is the FAST_IPSEC for IPv6?
Thanks.
BR,
Susan
Norberto Meijome wrote:
On Mon, 2 Jul 2007 17:31:05 +0200
VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
http://vanhu.free.fr/FreeBSD/pat
Dear all:
I am tracing the codes for the implementation for IPsec recently. I have
two problems here about the implementation:
1. In ip6_input.c, before handing the packet to the next protocol
handler after processing of IPv6 headers,
#ifdef IPSEC
/*
* enforce IPsec policy c
Hi,
Thanks for your kindly and quick response :>
I still have some questions, though...
VANHULLEBUS Yvan wrote:
On Mon, Jun 25, 2007 at 02:50:08PM +0800, blue wrote:
Dear all:
Hi.
I found there are two directories about PF_KEY interface: netkey and
netipsec under $Free
l occur!
Many thanks.
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Hi, all:
Recently I found a paragraph of codes about IPSec replay prevention
that confused me a lot. Could you shed some light on me?
line 2370 to line 2407 in ipsec.c deal with the replay window update.
/if (seq > replay->lastseq) {
/* seq is larger than lastseq. */
diff =
Dear all:
When looking into the soclose() in uipc_socket.c, I thought of one
possible situation.
If thread A called soclose() first, and then execute sorele() then
sofree(). However, in sofree() (defined in uipc_socket.c), the socket
mutex and accept mutex is unlocked first before releasing
configuration files? I could only find the ipcp syntax.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
e the
routing table lookup is unavoidable. So there's must be a good reason
for the change.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
and RFC 3517 (SACK based loss recovery) and could not find
anything related to the modification. Could not we just follow RFC 3782
and simply increment congestion window size by one?
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lis
unavailable.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ecause the
followed codes (from line 2228 to line 3261) would never be reached!
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
he segment and
process it? Without considering T/TCP, the code should be:
if ((thflags & TH_ACK) == 0) {
goto drop;
}
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe
logic be removed, either?
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
In my opinion, it should be located right before ACCEPT_UNLOCK().
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
31 matches
Mail list logo
