[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
At 16:25 +0200 7/19/03, Markus Friedl wrote:
>On Sat, Jul 19, 2003 at 07:59:27PM +0900, itojun@iijlab.net wrote:
>> by introducing "virtual interface" and switching m->m_pkthdr.rcvif
>> based on the virtual interface, you will become unable to identify
>> peer correctly - after IPsec processing, both "fe80::1%segment1" and
>> "fe80::1%segment2" would become "fe80::1%ipsec". providing 1-by-1
>> mapping between virtual interface and real interface does not provide
>> a solution, since you will now see non-IPsec traffic as sent from
>> "fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
>> and upper layer will get confused.
>
>I don't think the 'virtual interface' needs to replace the
>m_pkthdr.rcvif. The virtual interface can just be attached as some
>kind of mbuf tag.
>
>However, I don't see a difference between having the VID
>as a special selectors in a single SPD and having mutiple SPDs
>selected by VID.
You are correct that one could choose to implement a single SPD in
which the VID was another "selector." However, I avoided presenting
this as the basic model for at least two reasons that I can recall
now:
- in 2401 we talked in terms of per interface SPDs, so it is
more consistent with the old model to talk in terms of per-virtual
interface SPDs
- we have generally reserved the term "selector" for data
items extracted from packet headers. the VID is not part of a packet
header.
Steve