[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: revised IPsec processing model
At 11:22 -0400 7/19/03, Bill Sommerfeld wrote:
> > by introducing "virtual interface" and switching m->m_pkthdr.rcvif
>> based on the virtual interface, you will become unable to identify
>> peer correctly - after IPsec processing, both "fe80::1%segment1" and
>> "fe80::1%segment2" would become "fe80::1%ipsec". providing 1-by-1
>> mapping between virtual interface and real interface does not provide
>> a solution, since you will now see non-IPsec traffic as sent from
>> "fe80::1%segment1" and IPsec traffic as sent from "fe80::1%ipsec1",
>> and upper layer will get confused.
>
>Maybe we just need a name other than "virtual interface" for the ipsec
>entity.
>
>I understood the proposal as for a new kind of entity, the
>"2401-bis-ipsec-virtual-interface" which is different from the
>"real" interface as seen by IP.
>
>If you needed to record the 2401-bis-vif in packet metadata in
>addition to the physical interface, you'd put it in a parallel field
>to the BSD/KAME m->m_pkthdr.rcvif.
>
> - Bill
Thanks Bill. I am not knowledgeable enough about the details of host
implementations to have provided an answer like this.
Steve