Re: [Ipsec] Issue on input process of Linux native IPsec

From: Park Lee
Date: Thu Dec 23 2004 - 01:30:47 EST

On Wed, 22 Dec 2004 at 17:17, Kausty wrote:
> On Tue, 21 Dec 2004 10:52:22 -0800 (PST), Park Lee
> <parklee_sel@xxxxxxxxx> wrote:
> > Hi,
> > We know that the output process of Linux native
> > IPsec fully uses the XFRM architecture. The order
> > of primal functions are xfrm_lookup(),
> > xfrm_tmpl_resolve(), xfrm_bundle_create() and
> > dst_output().
> > The input process for IPsec is more simple than
> > output. The order of primal functions (in IPv4)
> > are xfrm4_rcv(), xfrm4_rcv_encap(),
> > xfrm4_parse_spi(), xfrm4_policy_check().
> > But, Why should the input process also go
> > throught xfrm_lookup(), xfrm_tmpl_resolve(),
> > xfrm_bundle_create()? What's the purpose of this?
> i havent gone through the code flow as u mentioned
> but this is my general idea.
> these are generic lookup functions irrespective of
> ipv6/v4.
> the purpose is to ensure that all the SA's are
> applied hence a bundle needs to be created
> everytime a packet is recieved.
> If no bundle is created then a seperate search
> needs to be done for ESP/AH/Transport/Tunnel
> is this what u were looking for ??

But, After a packet was received, It has already been
processed by xfrm4_rcv(), xfrm4_rcv_encap(),
ah_input(), esp_input(),etc. so, I think that there is
no need to search(or created) a bundle everytime a
packet is recieved, since it has already been
processed. Am I right?

Best Regards,
Park Lee

Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at