Re[2]: IPSec Inbound Processing Basic Doubt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

ks> heard that IPSec is kept in a UDP packet and sent.  How does the tx
ks> side processing happen (the host from which the udp encapsulated ipsec
ks> packet originated). The last call in the stackable destination is
ks> ip_output() as you said.
ks> How does it go back to udp(transport) layer in this case.

It doesn't go back.

UDP encapsulation is done for ...

INPUT:
 - udp_rcv
     |
     --- udp_queue_rcv_skb
           |
           --- udp_encap_rcv (strips of udp)
           |
           --- xfrm4_rcv_encap (usual procedure)


OUTPUT:
  - Done in esp_output as part of a stacked destination
    (e.g. net/ipv4/esp4.c)
    NAT-Traversal does only make sense for ESP, as AH protocol
    authenticates ("hashes") whole IP header including
    IP src / dst address, so you can't manipulate afterwards
    like SNAT / DNAT would do.

    exerpt from  net/ipv4/esp4.c

  /* this is non-NULL only with UDP Encapsulation */
71         if (x->encap) {
72                 struct xfrm_encap_tmpl *encap = x->encap;
..                 ...
81
82                 switch (encap->encap_type) {
83                 default:
84                 case UDP_ENCAP_ESPINUDP:
..                         ....
87                 case UDP_ENCAP_ESPINUDP_NON_IKE:
..                         ....
91                         break;
92                 }
93 
94                 top_iph->protocol = IPPROTO_UDP;
95         } else
96                 top_iph->protocol = IPPROTO_ESP;


As you see input and output processing isn't symetric any way,
with or without UDP encapsulation (NAT-T)

Have a look at http://lxr.linux.no which helps a lot sorting out
different pathes in the code. It's a complete cross reference of
the latest and some previous kernels

Best regards
     Michael Becker

Hochschule Niederrhein - Krefeld, Germany

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux