Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie

[Bill Sommerfeld <sommerfeld@East.Sun.COM>]

>    In order to support this in a BSD protocol stack I must write a kernel
> thread (or "nfsd"-like kernel process) that waits on UDP port 500 socket, and
> *if* the zeros are not present, must push the packet into a *different* port
> 500 so that my regular IKE can receive this. 

I can think of several other alternatives to this (this is in the
context of NetBSD; your milage may vary):

 1) you could register a so_upcall handler which picks off the ESP
traffic and leaves the IKE traffic present (with no need for a second
socket).  This will probably work ok but will involve spuriously
waking up your ike daemon..

 2) you could "fix" the so_upcall interface so it can be used
efficiently for this purpose.

 3) you could do what AFS did on BSD platforms, and jam a shim layer
between IP and UDP, and pick off the packet before udp_input().
Crude, but effective, and avoids the spurious wakeups.

 4) register a pfil hook to decapsulate UDP 500+zeros packets into a
"normal" ESP packet; like #2, except that it uses documented
interfaces, and probably also uses less stack depth.

					- Bill

---

References:

• Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
• Next by Date: Ipsec load balancing devices - UDP-ESP impact
• Prev by thread: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
• Next by thread: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
• Index(es):
  • Main
  • Thread