[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model



> 	by introducing "virtual interface" and switching m->m_pkthdr.rcvif
> 	based on the virtual interface, you will become unable to identify
> 	peer correctly - after IPsec processing, both "fe80::1%segment1" and
> 	"fe80::1%segment2" would become "fe80::1%ipsec".  providing 1-by-1
> 	mapping between virtual interface and real interface does not provide
> 	a solution, since you will now see non-IPsec traffic as sent from
> 	"fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
> 	and upper layer will get confused.

Maybe we just need a name other than "virtual interface" for the ipsec
entity.

I understood the proposal as for a new kind of entity, the
"2401-bis-ipsec-virtual-interface" which is different from the
"real" interface as seen by IP.

If you needed to record the 2401-bis-vif in packet metadata in
addition to the physical interface, you'd put it in a parallel field
to the BSD/KAME m->m_pkthdr.rcvif.

					- Bill