2004/07/13(火) 19:48、you wrote:
> On Tue, Jul 13, 2004 at 10:42:41AM +0900, Kazunori Miyazawa wrote:
> > I agree with you. It should uses ip6_find_1stfragopt.
> > However please consider zero_out_mutable_opts in ah6.c clears second
> > destination options. We need to get the copy length by other way.
> > Because ip6_find_1stfragopt returns the insert point of IPsec.
>
> Are there situations where it is desirable to have mutable options
> in the second destination header? Isn't the idea of the second
> destination header so that it is processed only by the final
> destination? I would've thought that it only made sense to have
> immutable options there.
>
> In fact if ESP were present then it guarantees the second dest
> header to be immutable. So perhaps we should simply disallow
> users from putting mutable options in the second destination
> header. Or we can document it as undefined and let the user
> handle the consequences (cf HDRINCL with raw sockets + IPsec).
>
Well, we should disallow the operation.
> BTW, the current code in ipv6_clear_mutable_options() that deals
> with NEXTHDR_AUTH is buggy. It assumes that there are at most two
> AH headers.
Yes, but I guess most implementation and administrator do not set
double or more AH header in a packet.This restriction doesn't
effect interoperability except for KAME with special configuration.
Honestly speaking, it is enough the IPsec stack processes just
one AH, ESP and IPcomp header each. Of course the stack should process
some set of those a header and payloads in tunnel mode.
Thank you for your point out,
--Kazunori Miyazawa
|