[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?

To: Atul.Sharma@nokia.com
Subject: Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
From: itojun@iijlab.net
Date: Fri, 14 Jun 2002 01:51:30 +0900
Cc: ipsec@lists.tislabs.com, DG.IPD-IPSEC@nokia.com, ipsec-project@iprg.nokia.com
In-reply-to: Atul.Sharma's message of Thu, 13 Jun 2002 12:42:13 -0400. <DC504E9C3384054C8506D3E6BB012460079FE4@bsebe001.NOE.Nokia.com>
Sender: owner-ipsec@lists.tislabs.com

>> I looked at the same routine, the code looks like(lines 1232-1236 on
>> FreeBSD 4.5 RELEASE):
>>
>>                iphdr.ip_ttl = 0;
>>                iphdr.ip_sum = htons(0);
>>                if (ip4_ah_cleartos)
>>                        iphdr.ip_tos = 0;
>>                iphdr.ip_off = htons(ntohs(iphdr.ip_off) & ip4_ah_offsetmask);
>> So ip_tos and ip_off are not unconditionally zeroed like RFC 2402 says.
>> The interoperability problem shall come when we have fragments and/or
>> non-zero tos field. For all other traffic one shall not see the difference.

	ip4_ah_cleartos is 1 by default, and ip4_ah_offsetmask is 0 by default.
	therefore, TOS and fragment offset fields will be correctly cleared.

	these tunable variables are provided as older revisions of RFC was not
	very clear about how we should compute ICV.  it may seem redundant,
	but was useful during past interoperability tests.  we don't expect
	anyone to modify the variable.

itojun

References:
- RE: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
  - From: Atul.Sharma@nokia.com

Prev by Date: RE: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Next by Date: Re: Son of IKE: A proposal for moving forward
Prev by thread: RE: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Next by thread: Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Index(es):
- Date
- Thread