* [RFC][IPSEC]: tunnel mode processing
@ 2006-09-01 0:55 jamal
2006-09-01 4:07 ` Herbert Xu
0 siblings, 1 reply; 7+ messages in thread
From: jamal @ 2006-09-01 0:55 UTC (permalink / raw)
To: David Miller; +Cc: herbert, netdev
At the moment transport mode processing is not dependent on skb->dst
being passed. Tunnel mode derives the ip->id and ttl from it. More like
computes ip->id.
I am trying to generate traffic via pktgen and it would be nice if i
could get the same behavior on tunnel mode as in transport mode. I dont
think it matters what the values of those two fields are.
Would it be reasonable to do a check so that incase a skb->dst doesnt
exist, the inner headers values can be used i.e something along
xfrm4_tunnel_output()::
----
top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
0 : (iph->frag_off & htons(IP_DF));
if (dst) {
if (!top_iph->frag_off)
__ip_select_ident(top_iph, dst->child, 0);
top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
} else {
top_iph->id = iph->id;
top_iph->ttl = iph->ttl;
}
----
cheers,
jamal
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 0:55 [RFC][IPSEC]: tunnel mode processing jamal
@ 2006-09-01 4:07 ` Herbert Xu
2006-09-01 12:17 ` jamal
0 siblings, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2006-09-01 4:07 UTC (permalink / raw)
To: jamal; +Cc: David Miller, netdev
On Thu, Aug 31, 2006 at 08:55:27PM -0400, jamal wrote:
>
> Would it be reasonable to do a check so that incase a skb->dst doesnt
> exist, the inner headers values can be used i.e something along
> xfrm4_tunnel_output()::
If you didn't care what values they were, couldn't you just stuff some
bogus dst into the skb? If this packet is going somewhere you're going
to have a dst one way or another :)
Also, the IPID is only generated if DF is not set on the packet.
Otherwise this path is already as fast as it can be.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 4:07 ` Herbert Xu
@ 2006-09-01 12:17 ` jamal
2006-09-01 12:22 ` Herbert Xu
0 siblings, 1 reply; 7+ messages in thread
From: jamal @ 2006-09-01 12:17 UTC (permalink / raw)
To: Herbert Xu; +Cc: David Miller, netdev
On Fri, 2006-01-09 at 14:07 +1000, Herbert Xu wrote:
> On Thu, Aug 31, 2006 at 08:55:27PM -0400, jamal wrote:
> >
> > Would it be reasonable to do a check so that incase a skb->dst doesnt
> > exist, the inner headers values can be used i.e something along
> > xfrm4_tunnel_output()::
>
> If you didn't care what values they were, couldn't you just stuff some
> bogus dst into the skb?
That bogus dst is NULL ;->
> If this packet is going somewhere you're going
> to have a dst one way or another :)
If i was going to use routing/layer 3, then true. At the pktgen level
"somewhere" is just "shove down the ether". Actually (i havent thought
clearly about this) wouldnt a bump in the wire implementation aka
bridging level also not care about route details?
Note: This does not absolve the need for a secure ipid or a proper ttl.
> Also, the IPID is only generated if DF is not set on the packet.
> Otherwise this path is already as fast as it can be.
In the case of traffic generation, if i could shave even more cycles the
better since i want to generate high speed. In this case the cycles
would be in creating a fake dst and attaching it some fake values.
I do agree that it is an awkward way of achieving my goals - but i dont
know of a clever way to do it ;->
cheers,
jamal
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 12:17 ` jamal
@ 2006-09-01 12:22 ` Herbert Xu
2006-09-01 12:56 ` jamal
0 siblings, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2006-09-01 12:22 UTC (permalink / raw)
To: jamal; +Cc: David Miller, netdev
On Fri, Sep 01, 2006 at 08:17:14AM -0400, jamal wrote:
>
> In the case of traffic generation, if i could shave even more cycles the
> better since i want to generate high speed. In this case the cycles
> would be in creating a fake dst and attaching it some fake values.
Right, you're testing the receiver side. In that case I suggest that
you replicate the IPsec transport mode logic in the generator. Just
as pktgen doesn't use net/ipv4/udp.c to generate UDP traffic, it doesn't
really need to use xfrm4_output.c to generate IPsec traffic.
You can still call down to esp4.c through the type pointer of course.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 12:22 ` Herbert Xu
@ 2006-09-01 12:56 ` jamal
2006-09-01 13:04 ` Herbert Xu
0 siblings, 1 reply; 7+ messages in thread
From: jamal @ 2006-09-01 12:56 UTC (permalink / raw)
To: Herbert Xu; +Cc: David Miller, netdev
On Fri, 2006-01-09 at 22:22 +1000, Herbert Xu wrote:
> Right, you're testing the receiver side.
both in/out sides (on the receiver); i just count and drop all packets
coming back to the sender (the pktgenerator)
> In that case I suggest that
> you replicate the IPsec transport mode logic in the generator.
Tunnel mode you mean, i think.
> Just
> as pktgen doesn't use net/ipv4/udp.c to generate UDP traffic, it doesn't
> really need to use xfrm4_output.c to generate IPsec traffic.
>
IPsec is slightly different since i need to use state in the core. i.e
it is stateful. Nothing that pktgen does today has such requirements.
> You can still call down to esp4.c through the type pointer of course.
Thats one idea i havent thought of.
i.e the code would look like:
-----
if (mode == tunnel)
err = mytunneloutput (x, skb);
else
err = x->mode->output(x, skb);
if (err)
goto error;
err = x->type->output(x, skb);
--
This is what you are suggesting?
I am probably better off going back to creating a dummy dst with just
those two fields when in tunnel mode;->
cheers,
jamal
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 12:56 ` jamal
@ 2006-09-01 13:04 ` Herbert Xu
2006-09-01 13:12 ` jamal
0 siblings, 1 reply; 7+ messages in thread
From: Herbert Xu @ 2006-09-01 13:04 UTC (permalink / raw)
To: jamal; +Cc: David Miller, netdev
On Fri, Sep 01, 2006 at 08:56:18AM -0400, jamal wrote:
>
> Thats one idea i havent thought of.
>
> i.e the code would look like:
> -----
> if (mode == tunnel)
> err = mytunneloutput (x, skb);
> else
> err = x->mode->output(x, skb);
> if (err)
> goto error;
> err = x->type->output(x, skb);
> --
>
> This is what you are suggesting?
Yes, I suppose you could even replace x->mode directly.
> I am probably better off going back to creating a dummy dst with just
> those two fields when in tunnel mode;->
Probably. Although if you write your own output function you could
make it go faster by adapting it to the specifics of pktgen.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC][IPSEC]: tunnel mode processing
2006-09-01 13:04 ` Herbert Xu
@ 2006-09-01 13:12 ` jamal
0 siblings, 0 replies; 7+ messages in thread
From: jamal @ 2006-09-01 13:12 UTC (permalink / raw)
To: Herbert Xu; +Cc: David Miller, netdev
On Fri, 2006-01-09 at 23:04 +1000, Herbert Xu wrote:
> Yes, I suppose you could even replace x->mode directly.
>
> > I am probably better off going back to creating a dummy dst with just
> > those two fields when in tunnel mode;->
>
> Probably. Although if you write your own output function you could
> make it go faster by adapting it to the specifics of pktgen.
gah. Ok, probably better solution to go this path then ;->
cheers,
jamal
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-09-01 13:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-01 0:55 [RFC][IPSEC]: tunnel mode processing jamal
2006-09-01 4:07 ` Herbert Xu
2006-09-01 12:17 ` jamal
2006-09-01 12:22 ` Herbert Xu
2006-09-01 12:56 ` jamal
2006-09-01 13:04 ` Herbert Xu
2006-09-01 13:12 ` jamal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox