Re[2]: IPSec Inbound Processing Basic Doubt
From: Michael Becker
Date: Tue Jun 28 2005 - 16:51:49 EST
Hello,
ks> heard that IPSec is kept in a UDP packet and sent. How does the tx
ks> side processing happen (the host from which the udp encapsulated ipsec
ks> packet originated). The last call in the stackable destination is
ks> ip_output() as you said.
ks> How does it go back to udp(transport) layer in this case.
It doesn't go back.
UDP encapsulation is done for ...
INPUT:
- udp_rcv
|
--- udp_queue_rcv_skb
|
--- udp_encap_rcv (strips of udp)
|
--- xfrm4_rcv_encap (usual procedure)
OUTPUT:
- Done in esp_output as part of a stacked destination
(e.g. net/ipv4/esp4.c)
NAT-Traversal does only make sense for ESP, as AH protocol
authenticates ("hashes") whole IP header including
IP src / dst address, so you can't manipulate afterwards
like SNAT / DNAT would do.
exerpt from net/ipv4/esp4.c
/* this is non-NULL only with UDP Encapsulation */
71 if (x->encap) {
72 struct xfrm_encap_tmpl *encap = x->encap;
.. ...
81
82 switch (encap->encap_type) {
83 default:
84 case UDP_ENCAP_ESPINUDP:
.. ....
87 case UDP_ENCAP_ESPINUDP_NON_IKE:
.. ....
91 break;
92 }
93
94 top_iph->protocol = IPPROTO_UDP;
95 } else
96 top_iph->protocol = IPPROTO_ESP;
As you see input and output processing isn't symetric any way,
with or without UDP encapsulation (NAT-T)
Have a look at http://lxr.linux.no which helps a lot sorting out
different pathes in the code. It's a complete cross reference of
the latest and some previous kernels
Best regards
Michael Becker
Hochschule Niederrhein - Krefeld, Germany
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/