Hi, all:
Recently I found a paragraph of codes about IPSec replay prevention
that confused me a lot. Could you shed some light on me?
line 2370 to line 2407 in ipsec.c deal with the replay window update.
/if (seq > replay->lastseq) {
/* seq is larger than lastseq. */
diff =
l occur!
Many thanks.
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Hi,
Thanks for your kindly and quick response :>
I still have some questions, though...
VANHULLEBUS Yvan wrote:
On Mon, Jun 25, 2007 at 02:50:08PM +0800, blue wrote:
Dear all:
Hi.
I found there are two directories about PF_KEY interface: netkey and
netipsec under $Free
Dear all:
I am tracing the codes for the implementation for IPsec recently. I have
two problems here about the implementation:
1. In ip6_input.c, before handing the packet to the next protocol
handler after processing of IPv6 headers,
#ifdef IPSEC
/*
* enforce IPsec policy c
Hi,
What is the main enhancement for the commit?
Tracing back the discussion, It is all about NAT-T?
How is the FAST_IPSEC for IPv6?
Thanks.
BR,
Susan
Norberto Meijome wrote:
On Mon, 2 Jul 2007 17:31:05 +0200
VANHULLEBUS Yvan <[EMAIL PROTECTED]> wrote:
http://vanhu.free.fr/FreeBSD/pat
l. However, ipsec_set_policy() is used only for SP, not SA.
blue
aditya kiran wrote:
Hi,
I was just trying to understand PF_KEY interface for ipsec settings. So,
setkey uses it to do that. but i could find another system call -
ipsec_set_policy. Could any body let me know why there are two
int
Dear all:
I want to set up the gif tunnel for IPv6 IPsec as the Freebsd Handbook
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
"VPN over IPsec" suggested for IPv4. However, I could not configure the
local IP address via
"ifconfig gif0 inet6 address>", ifconfig will compl
:yy::zz
inet6 11:22:33:44::11 --> 55:66:77:88::55 netmask 0x
But currently I could not succeed in making the inner addresses.
Eric F Crist wrote:
On Jul 26, 2007, at 8:11 PMJul 26, 2007, blue wrote:
Dear all:
I want to set up the gif tunnel for IPv6 IPsec as the F
its status. On
the other hand, SA is like usual, once the "setkey -F" is typed in, the
SA entries will be erased right away.
Thanks.
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To un
[EMAIL PROTECTED] wrote:
At Thu, 26 Jul 2007 11:13:53 +0800,
blue wrote:
Hi, all:
Recently I found the behavior for the command "setkey -FP" is quite
different for the latest version IPsec (known as FAST_IPSEC before).
Before the command would erase all the existed SP entries;
Dear all:
I do not know the purpose of the following codes in the very beginning
in ip6_input():
#ifdef IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
*/
if (m) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
Dear all:
When looking into kame-20070801-freebsd54-snap, the function,
_dns_getaddrinfo(), defined in getaddrinfo.c, will check if the device
gets any IPv4/global IPv6 address before sending out any A/ query by
calling addrconfig() if the user does not specify the family type
(AF_UNSPEC)
Max Laier wrote:
On Friday 10 August 2007, JINMEI Tatuya / 神明達哉 wrote:
At Fri, 10 Aug 2007 11:52:09 +0800,
blue <[EMAIL PROTECTED]> wrote:
When looking into kame-20070801-freebsd54-snap, the function,
_dns_getaddrinfo(), defined in getaddrinfo.c, will check if the
device ge
JINMEI Tatuya / wrote:
At Fri, 10 Aug 2007 13:45:46 +0800,
blue <[EMAIL PROTECTED]> wrote:
Although DNS resolver may lead to some delay or misbehavior of the upper
application, I think that would be caller's resposibility to decide
which result it would like to use. I am
Dear all:
When receiving a "packet too big" ICMP error message, FreeBSD will call
the ctlinput() function of the upper protocol. If the preceding packet
is an ESP IPv6 packet, then FreeBSD will call esp6_ctlinput(). In
esp6_ctlinput(), pfctlinput2() will be executed to traverse all possible
cause of the infinite loop.
Best regards,
Yi-Wen
JINMEI Tatuya / wrote:
At Tue, 28 Aug 2007 10:15:31 +0800,
blue <[EMAIL PROTECTED]> wrote:
When receiving a "packet too big" ICMP error message, FreeBSD will call
the ctlinput() function of the upper protocol. If the
ern A. Zeeb wrote:
On Tue, 28 Aug 2007, blue wrote:
Hi,
Since our device adopts the IPsec codes from BSD, our device will
have infinite loop after receiving ICMP packet too big message.
I am not sure whether BSD itself will have the problem or not (maybe
needs further testing). In
Dear all:
Recently I am tracing the codes of ip6_forward(), which is defined in
ip6_forward.c. My referenced version is FreeBSD Release 6.1. I have the
following questions about IPsec operations:
(1) lines 489-512 are about the transmission of ICMP Packet Too Big
message. Is it necessary her
Sorry, maybe my words make you confused.
What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which
is currently IPSEC in FreeBSD-7.0.
BR,
Yi-Wen
Bjoern A. Zeeb wrote:
On Wed, 1 Aug 2007, blue wrote:
Hi,
Dear all:
I do not know the purpose of the following co
If the above condition is accpeted, then key_delsp() in key.c should not
call KEY_FREESAV() in case SA reference count underflow!
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, s
ct route_in6, which could
accommodate both IPv4 and IPv6 address.
BR,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dear all:
In line 814 to line 843 in esp6_ctlinput(),
if (cmd == PRC_MSGSIZE) {
struct secasvar *sav;
u_int32_t spi;
int valid;
/* check header length before using m_copydata */
if (m->m_pkthdr.len < off + sizeof (struct esp))
In my opinion, it should be located right before ACCEPT_UNLOCK().
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
logic be removed, either?
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
he segment and
process it? Without considering T/TCP, the code should be:
if ((thflags & TH_ACK) == 0) {
goto drop;
}
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe
ecause the
followed codes (from line 2228 to line 3261) would never be reached!
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
unavailable.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
and RFC 3517 (SACK based loss recovery) and could not find
anything related to the modification. Could not we just follow RFC 3782
and simply increment congestion window size by one?
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lis
e the
routing table lookup is unavoidable. So there's must be a good reason
for the change.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
configuration files? I could only find the ipcp syntax.
Best regards,
blue
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dear all:
When looking into the soclose() in uipc_socket.c, I thought of one
possible situation.
If thread A called soclose() first, and then execute sorele() then
sofree(). However, in sofree() (defined in uipc_socket.c), the socket
mutex and accept mutex is unlocked first before releasing
31 matches
Mail list logo
