[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On transport-level policy enforcement (was Re: RFC 2401...)



> 	  actually, per host policy can be implemented by a policy entry with
> 	  filter "0.0.0.0/0".  i don't remember why it is not done yet.

That makes sense.

> 	because of some complexity (*) we have in our code, we do not cache
> 	packet filter policy into inpcb.  it definitely makes sense to cache it.


> 	BTW, the cache-in-pcb way does not work well if the BSD box is used
> 	as a router:-)

In Solaris, tunnels are interfaces over the "IP device".  Since sockets are
also opens of the "TCP/IP device," "UDP/IP device," or the "raw IP device,"
tunnels have pcb's just like sockets do!

OTOH if your tunnels have complex rules (e.g. varieties of per-flow
policies), then per-pcb-caching breaks down.

> 	also, if we cache policy, inpcb management will get more complex -
> need to make sure we do not have dangling pointer from inpcb to policy
> entry.

Heh heh.  That's a tricky one, but it's doable.  Throw multithreading issues
in if you want extra fun!  :)

Dan


Follow-Ups: References: