[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: On transport-level policy enforcement (was Re: RFC 2401...)
Dan McDonald wrote:
>
> > actually, per host policy can be implemented by a policy entry with
> > filter "0.0.0.0/0". i don't remember why it is not done yet.
>
> That makes sense.
>
> > because of some complexity (*) we have in our code, we do not cache
> > packet filter policy into inpcb. it definitely makes sense to cache it.
>
> > BTW, the cache-in-pcb way does not work well if the BSD box is used
> > as a router:-)
>
> In Solaris, tunnels are interfaces over the "IP device". Since sockets are
> also opens of the "TCP/IP device," "UDP/IP device," or the "raw IP device,"
> tunnels have pcb's just like sockets do!
>
> OTOH if your tunnels have complex rules (e.g. varieties of per-flow
> policies), then per-pcb-caching breaks down.
>
> > also, if we cache policy, inpcb management will get more complex -
> > need to make sure we do not have dangling pointer from inpcb to policy
> > entry.
>
> Heh heh. That's a tricky one, but it's doable. Throw multithreading issues
> in if you want extra fun! :)
>
> Dan
>
IBM gave a talk last year regarding a policy implementation
using the multi-threaded BSD implementation in AIX 4.3. The
talk described there "solution" to the dangling pointer and
the revised socket/PCB/PolicyObject locking model. Hence the
problem has been solved, but it did take considerable effort
on the part of the IBM developers.
-- Bill (fisher@bravidacorp.com)
References: