Re: On transport-level policy enforcement (was Re: RFC 2401...)

[fisher <fisher@bravidacorp.com>]

Dan McDonald wrote:
> 
> >         actually, per host policy can be implemented by a policy entry with
> >         filter "0.0.0.0/0".  i don't remember why it is not done yet.
> 
> That makes sense.
> 
> >       because of some complexity (*) we have in our code, we do not cache
> >       packet filter policy into inpcb.  it definitely makes sense to cache it.
> 
> >       BTW, the cache-in-pcb way does not work well if the BSD box is used
> >       as a router:-)
> 
> In Solaris, tunnels are interfaces over the "IP device".  Since sockets are
> also opens of the "TCP/IP device," "UDP/IP device," or the "raw IP device,"
> tunnels have pcb's just like sockets do!
> 
> OTOH if your tunnels have complex rules (e.g. varieties of per-flow
> policies), then per-pcb-caching breaks down.
> 
> >       also, if we cache policy, inpcb management will get more complex -
> > need to make sure we do not have dangling pointer from inpcb to policy
> > entry.
> 
> Heh heh.  That's a tricky one, but it's doable.  Throw multithreading issues
> in if you want extra fun!  :)
> 
> Dan
>
	IBM gave a talk last year regarding a policy implementation
	using the multi-threaded BSD implementation in AIX 4.3. The
	talk described there "solution" to the dangling pointer and
	the revised socket/PCB/PolicyObject locking model. Hence the
	problem has been solved, but it did take considerable effort
	on the part of the IBM developers.

-- Bill (fisher@bravidacorp.com)

---

References:

• Re: On transport-level policy enforcement (was Re: RFC 2401...)
• From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>

---

• Prev by Date: Re: IPv6 Jumbo Payload and IPsec
• Next by Date: Re: RFC 2401 section 5.2.1
• Prev by thread: Re: On transport-level policy enforcement (was Re: RFC 2401...)
• Next by thread: Re: On transport-level policy enforcement (was Re: RFC 2401...)
• Index(es):
  • Main
  • Thread