Re: IPv6 and encapsulation headers

To:	Kazunori Miyazawa <kazunori@xxxxxxxxxxxx>
Subject:	Re: IPv6 and encapsulation headers
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Mon, 12 Jul 2004 20:47:10 +1000
Cc:	netdev@xxxxxxxxxxx
In-reply-to:	<200407121732.52542.kazunori@xxxxxxxxxxxx>
References:	<20040710033209.GA14316@xxxxxxxxxxxxxxxxxxx> <20040710.133641.132032007.yoshfuji@xxxxxxxxxxxxxx> <20040710091630.GA16312@xxxxxxxxxxxxxxxxxxx> <200407121732.52542.kazunori@xxxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040523i

On Mon, Jul 12, 2004 at 05:32:52PM +0900, Kazunori Miyazawa wrote:
> 
> right, esp6 tunnel doesn't care about skb->h.raw. we need to fix it.

The same needs to be done to the other tunnels as well.  But please
consider the issue in the next paragraph first before doing this.

> > So should it be changed to ip6_find_1stfragopt() as is the case with
> > esp6 and ipcomp6?
> 
> Do we need to skip esp or ipcomp payload?
> I thinks those are similar with transport layer protocol in outer esp process.
> Did I misunderstand your question?

I don't know because I didn't understand your question :)

Let me state a few things and please tell me whether you agree or
disagree:

1. AH's position should be determined by the bundle.  So if the
bundle says AH+ESP then AH goes on the outside, if the bundle says
ESP+AH or just AH then AH goes on the inside.

2. If AH is the inner-most xfrm then it should be applied before
the second destination options header.

It seems to me that skb->h is not actually set to the spot pointed
to ip6_find_1stfragopt() by anything apart from the xfrm output
functions.

Therefore if AH is the inner-most xfrm, then skb->h will also point
to the wrong spot.  It would appear to be safest to call
ip6_find_1stfragopt() in AH instead of relying on the value of skb->h.

Regardless of whether we use skb->h or ip6_find_1stfragopt() though,
ah6/esp6/ipcomp6 should all use the same logic to find their spot for
encapsulation.  The reason is that the specification in 2402/2406/3173
is identical so we shouldn't have special-case code in AH.

> Because fragmentation takes place after IPsec processing,
> do we need to make ip6_find_1stfragopt care fragment header?
> I think there is no fragment header in skb at that point.

Good point.

Hmm, what about address spoofing? Is there code in IPv6 to prevent
another machine from relaying a packet through us with our source
address?

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

<Prev in Thread]	Current Thread	[Next in Thread>
[IPCOMP6] Exclude IPCOMP header from props.header_len, Herbert Xu Re: [IPCOMP6] Exclude IPCOMP header from props.header_len, YOSHIFUJI Hideaki / 吉藤英明 IPv6 and encapsulation headers, Herbert Xu Re: IPv6 and encapsulation headers, Kazunori Miyazawa Re: IPv6 and encapsulation headers, Herbert Xu <= Re: IPv6 and encapsulation headers, Kazunori Miyazawa Re: IPv6 and encapsulation headers, Herbert Xu Re: IPv6 and encapsulation headers, Kazunori Miyazawa Re: IPv6 and encapsulation headers, Herbert Xu Re: [IPCOMP6] Exclude IPCOMP header from props.header_len, David S. Miller

Previous by Date:	Re: ethernet QoS support?, Glen Turner
Next by Date:	Re: ethernet QoS support?, jamal
Previous by Thread:	Re: IPv6 and encapsulation headers, Kazunori Miyazawa
Next by Thread:	Re: IPv6 and encapsulation headers, Kazunori Miyazawa
Indexes:	[Date] [Thread] [Top] [All Lists]