[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: itojun@iijlab.net
Subject: Re: revised IPsec processing model
From: Markus Friedl <markus@openbsd.org>
Date: Sat, 19 Jul 2003 16:25:05 +0200
Cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-Reply-To: <20030719105927.0423913@coconut.itojun.org>
References: <p05210603bb3e0775de65@[67.129.127.142]> <20030719105927.0423913@coconut.itojun.org>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.4.1i

On Sat, Jul 19, 2003 at 07:59:27PM +0900, itojun@iijlab.net wrote:
> 	by introducing "virtual interface" and switching m->m_pkthdr.rcvif
> 	based on the virtual interface, you will become unable to identify
> 	peer correctly - after IPsec processing, both "fe80::1%segment1" and
> 	"fe80::1%segment2" would become "fe80::1%ipsec".  providing 1-by-1
> 	mapping between virtual interface and real interface does not provide
> 	a solution, since you will now see non-IPsec traffic as sent from
> 	"fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
> 	and upper layer will get confused.

I don't think the 'virtual interface' needs to replace the
m_pkthdr.rcvif.  The virtual interface can just be attached as some
kind of mbuf tag.

However, I don't see a difference between having the VID
as a special selectors in a single SPD and having mutiple SPDs
selected by VID.

-m

Follow-Ups:
- Re: revised IPsec processing model
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>
- Re: revised IPsec processing model
  - From: itojun@iijlab.net

Prev by Date: Re: ipsec SAs
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread