Next: 2.2.1 Comments upon problems/limitations
Up: 2 Current KLIPS input/output
Previous: 2.1.1 Comments upon problems/limitations
- increment module use count
- verify skb and data is not NULL
- verify hard header length
- clone (COW) if necessary
- a number of poorly documented ``assertions''
- verify protocol number against packet and against protocol structure
- verify that protocol is AH, COMP or ESP.
- lookup each ipsecX device to determine which one has been bound
to the receiving device. Grab ipsecprv device info.
- if no device found, warn, but do not die
- begin decap loop
- lock tdb if this is first time through
- verify that length is appropriate multiple if ESP
- switch on protocol type, grab SPI value from appropriate place
- format sa with satoa. (not found in code)
- if AH, then determine AH header length, find next protocol value, and
verify against expected length of AH header.
- get spin lock if required
- if IPCOMP
- check if IPCOMP is out most header, (not yet supported)
- advance the tdb pointer and, if doing inbound policy
check, then check SPI value. Complain if not matched.
- decompress packet, reset ip header pointer to new
value, loop (via continue)
- lookup tdb based upon SA. gettdb
- complain if no tdb
- if doing inbound policy check
- check that outer source matches one on packet.
- check that this tdb is the expected next from
previous. (forward check)
- check that this tdb expects to be attached to
previous. (reverse check)
- check if tdb state is larval, skip
- check if tdb state is dead, complain
- check lifetime (bytes - soft/hard, addtime - soft/hard, usetime -
soft/hard, packet count - soft/hard). Expire TDB,
tell pfkey if limit exceeded.
- pick authlen, switch on auth type (MD5, SHA1)
- switch on protocol type (ESP, AH only) and set up authenticator
- check sequence number to see if replay window rolled, if so expire
- check out replay window, dropping if it is a replay
- verify authenticator, check if there was
authentication, switch on type
- MD5, call MD5Update and friends, checking if
ESP or AH was involved
- SHA1, call SHA1Update and friends, checking if ESP or
AH was involved
- none, do nothing
- check authenticator for NULL (which would imply not AH
or ESP above)
- compare authenticator against hash, complain if failed
- update the replay window
- switch on protocol type
- if ESP
- switch on encryption algorithm
- if 3DES, then find IV and set header length
- otherwise, fail
- locate ciphertext based upon header length
- switch on encryption algorithm
- if 3DES, verify data length
multiple of 8 and decrypt.
- no otherwise clause
- find next header type
- find padding
- verify padding
- if AH, do nothing
- update protocol number in header (why?)
- switch on protocol type
- if ESP, the memmove as appropriate for ESP,
skb_pull() to compact, and then skb_trim.
- if AH, then memmove as appropriate for AH, skb_pull().
- update skb pointers to parts of packet.
- nuke any options that skb knew about, or skb->proto_priv (2.2+)
- recalculate the header checksum
- set the sbk protocol type to IP over ethernet
- advance tdb pointers
- if doing inbound policy check
- verify that backward policy agrees with forward policy
- check if next protocol field is not one we know about
- complain that policy was not complete
- update ipcomp ratio counters if IPCOMP was involved, but this
stage is not IPCOMP
- update the lifetime values in bytes, packets, and last used
time.
- loop again if ESP, AH or IPCOMP
- if original chain was IPCOMP, then advance tdb chain once (Why?)
- if there is one last tdb
- verify that last protocol type was IPIP (no transport
supported here)
- if doing inbound policy checks
- advance tdbnext with inext, and complain if
non-NULL. (i.e. check that this was last tdb)
- verify source IP address matches tdb source
- update lifetimes for this tdb
- if skb data len is too small for header length,
complain
- pull up new header into skb
- advance ip pointer to inner header
- update raw header pointer
- zero protocol options
- update layer 2 protocol info to IP over Ethernet
- reset checksum info
- if we are doing EROUTE checking (i.e. tunnel exit checking)
- setup for look up by src/dst in eroute table, checking
for IPIP header.
- lock eroute table, lookup eroute
- record info we need and unlock
- if we found what we need, then lock, and lookup policy
information by new said block.
- if no tdb found, then we drop packet
- walk policy_tdb chain, look for last one
- compare against tdb that we just used, complain if not
the same.
- unlock tbd
- update stats if appropriate
- release packet destination
- if there was a layer 2, copy it back into place
- do inbound policy checks if it was IPCOMP
- do connection tracking
- drop packet back into bottom half queue
Subsections
Next: 2.2.1 Comments upon problems/limitations
Up: 2 Current KLIPS input/output
Previous: 2.1.1 Comments upon problems/limitations
Michael Richardson
2001-11-27