[IPSEC] Use xfrm_rcv for xfrm tunnel packets

From: Herbert Xu (herbert@gondor.apana.org.au)
Date: Tue Jul 29 2003 - 06:33:24 EST


Hi:

This is part of my previous proposal on strengthening policy checks.

This patch makes the xfrm_tunnel code use the same receive functions
as other IPSEC tunnels. As a result, this inserts the tunnel state
into the security path. This should be OK as our current policy check
allows unspecified SAs. It also means that the IPCOMP SA selector
is checked even when the packet is not compressed. Of course, if
the user creates multiple IPCOMP SAs between the same pair of hosts
with differing selectors, then they deserve to lose.

One side effect is that it makes the NOECN flag useful for IPCOMP SAs
assuming that the user makes sure that all IPCOMP SAs sharing the same
tunnel state agrees on the flag.

Cheers,

-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Thu Jul 31 2003 - 22:00:02 EST