Received: with ECARTIS (v1.0.0; list netdev); Fri, 23 Jul 2004 13:38:18 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id i6NKc9JO026644 for ; Fri, 23 Jul 2004 13:38:12 -0700 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i6NKbte1016511; Fri, 23 Jul 2004 16:37:55 -0400 Received: from devserv.devel.redhat.com (devserv.devel.redhat.com [172.16.58.1]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i6NKbta10443; Fri, 23 Jul 2004 16:37:55 -0400 Received: from cheetah.davemloft.net (localhost.localdomain [127.0.0.1]) by devserv.devel.redhat.com (8.12.11/8.12.10) with SMTP id i6NKbHkM027073; Fri, 23 Jul 2004 16:37:17 -0400 Date: Fri, 23 Jul 2004 13:37:37 -0700 From: "David S. Miller" To: Herbert Xu Cc: kazunori@miyazawa.org, netdev@oss.sgi.com Subject: Re: [AH6] Disallow mutable bits after AH header Message-Id: <20040723133737.447a9598.davem@redhat.com> In-Reply-To: <20040723135320.GA26000@gondor.apana.org.au> References: <20040723135320.GA26000@gondor.apana.org.au> X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; sparc-unknown-linux-gnu) X-Face: "_;p5u5aPsO,_Vsx"^v-pEq09'CU4&Dc1$fQExov$62l60cgCc%FnIwD=.UF^a>?5'9Kn[;433QFVV9M..2eN.@4ZWPGbdi<=?[:T>y?SD(R*-3It"Vj:)"dP Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-archive-position: 7114 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: davem@redhat.com Precedence: bulk X-list: netdev On Fri, 23 Jul 2004 23:53:21 +1000 Herbert Xu wrote: > As we discussed before, mutable headers should not be allowed after > the AH header. In fact, this appears to be the intention of RFC 2402. > It is further clarified in section 3.1.1 of > > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-rfc2402bis-07.txt > > This allows us to simplify the code in ah6.c. As a result, this also > fixes the following issues: > > * Dependence on skb->h in ah6_output(). > * Bogus clearing of auth_data of 2nd AH header in ipv6_clear_mutable_options(). Applied, thanks Herbert.