[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
> In order to support this in a BSD protocol stack I must write a kernel
> thread (or "nfsd"-like kernel process) that waits on UDP port 500 socket, and
> *if* the zeros are not present, must push the packet into a *different* port
> 500 so that my regular IKE can receive this.
I can think of several other alternatives to this (this is in the
context of NetBSD; your milage may vary):
1) you could register a so_upcall handler which picks off the ESP
traffic and leaves the IKE traffic present (with no need for a second
socket). This will probably work ok but will involve spuriously
waking up your ike daemon..
2) you could "fix" the so_upcall interface so it can be used
efficiently for this purpose.
3) you could do what AFS did on BSD platforms, and jam a shim layer
between IP and UDP, and pick off the packet before udp_input().
Crude, but effective, and avoids the spurious wakeups.
4) register a pfil hook to decapsulate UDP 500+zeros packets into a
"normal" ESP packet; like #2, except that it uses documented
interfaces, and probably also uses less stack depth.
- Bill
References: