[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: sommerfeld@east.sun.com
Subject: Re: revised IPsec processing model
From: Stephen Kent <kent@bbn.com>
Date: Mon, 21 Jul 2003 11:27:51 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200307191522.h6JFMt8Q021016@thunk.east.sun.com>
References: <200307191522.h6JFMt8Q021016@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

At 11:22 -0400 7/19/03, Bill Sommerfeld wrote:
>  >	by introducing "virtual interface" and switching m->m_pkthdr.rcvif
>>	based on the virtual interface, you will become unable to identify
>>	peer correctly - after IPsec processing, both "fe80::1%segment1" and
>>	"fe80::1%segment2" would become "fe80::1%ipsec".  providing 1-by-1
>>	mapping between virtual interface and real interface does not provide
>>	a solution, since you will now see non-IPsec traffic as sent from
>>	"fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
>>	and upper layer will get confused.
>
>Maybe we just need a name other than "virtual interface" for the ipsec
>entity.
>
>I understood the proposal as for a new kind of entity, the
>"2401-bis-ipsec-virtual-interface" which is different from the
>"real" interface as seen by IP.
>
>If you needed to record the 2401-bis-vif in packet metadata in
>addition to the physical interface, you'd put it in a parallel field
>to the BSD/KAME m->m_pkthdr.rcvif.
>
>					- Bill

Thanks Bill.  I am not knowledgeable enough about the details of host 
implementations to have provided an answer like this.

Steve

References:
- Re: revised IPsec processing model
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: revised IPsec processing model
Next by Date: Re: revised IPsec processing model
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread