Hello Herbert,
> On Sat, Jul 10, 2004 at 01:36:41PM +0900, YOSHIFUJI Hideaki / ?$B5HF#1QL@
wrote:
> > Looks good.
>
> Thanks for reviewing it.
>
> I've got a couple of questions that you might be able to help me with.
>
> It appears that the value of hdr_len in ah6 for transport mode is broken.
> It's setting hdr_len to be skb->h.raw - skb->nh.raw. When AH is being
> applied outside an ESP tunnel, skb->h.raw will be pointing somewhere
> inside the tunnel. The end result is that leading bytes of the payload
> inside the tunnel gets moved before the AH header.
>
right, esp6 tunnel doesn't care about skb->h.raw. we need to fix it.
> So should it be changed to ip6_find_1stfragopt() as is the case with
> esp6 and ipcomp6?
Do we need to skip esp or ipcomp payload?
I thinks those are similar with transport layer protocol in outer esp process.
Did I misunderstand your question?
> A second problem is that ip6_find_1stfragopt() seems to be the wrong
> thing to do for ah6/esp6/ipcomp6. RFC 2402/2406/3173 all say that
> fragment headers should be placed before the encapsulation header.
> So should it be changed accordingly?
>
Because fragmentation takes place after IPsec processing,
do we need to make ip6_find_1stfragopt care fragment header?
I think there is no fragment header in skb at that point.
--Kazunori Miyazawa
|