[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
On Sat, Jul 19, 2003 at 07:59:27PM +0900, itojun@iijlab.net wrote:
> by introducing "virtual interface" and switching m->m_pkthdr.rcvif
> based on the virtual interface, you will become unable to identify
> peer correctly - after IPsec processing, both "fe80::1%segment1" and
> "fe80::1%segment2" would become "fe80::1%ipsec". providing 1-by-1
> mapping between virtual interface and real interface does not provide
> a solution, since you will now see non-IPsec traffic as sent from
> "fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
> and upper layer will get confused.
I don't think the 'virtual interface' needs to replace the
m_pkthdr.rcvif. The virtual interface can just be attached as some
kind of mbuf tag.
However, I don't see a difference between having the VID
as a special selectors in a single SPD and having mutiple SPDs
selected by VID.
-m