[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
> by introducing "virtual interface" and switching m->m_pkthdr.rcvif
> based on the virtual interface, you will become unable to identify
> peer correctly - after IPsec processing, both "fe80::1%segment1" and
> "fe80::1%segment2" would become "fe80::1%ipsec". providing 1-by-1
> mapping between virtual interface and real interface does not provide
> a solution, since you will now see non-IPsec traffic as sent from
> "fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
> and upper layer will get confused.
Maybe we just need a name other than "virtual interface" for the ipsec
entity.
I understood the proposal as for a new kind of entity, the
"2401-bis-ipsec-virtual-interface" which is different from the
"real" interface as seen by IP.
If you needed to record the 2401-bis-vif in packet metadata in
addition to the physical interface, you'd put it in a parallel field
to the BSD/KAME m->m_pkthdr.rcvif.
- Bill