From: David Woodhouse <dwmw2@infradead.org>
To: David Miller <davem@davemloft.net>
Cc: mst@redhat.com, herbert@gondor.apana.org.au,
eric.dumazet@gmail.com, jan.kiszka@siemens.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
qemu-devel@nongnu.org
Subject: Re: [PATCH] tun: orphan an skb on tx
Date: Mon, 02 Feb 2015 07:27:10 +0000 [thread overview]
Message-ID: <1422862030.11044.86.camel@infradead.org> (raw)
In-Reply-To: <20150201.210716.588479604128207372.davem@davemloft.net>
[-- Attachment #1: Type: text/plain, Size: 2997 bytes --]
On Sun, 2015-02-01 at 21:07 -0800, David Miller wrote:
> From: David Woodhouse <dwmw2@infradead.org>
> Date: Sun, 01 Feb 2015 21:29:43 +0000
>
> > I really was looking for some way to push down something like an XFRM
> > state into the tun device and just say "shove them out here until I tell
> > you otherwise".
>
> People decided to use TUN and push VPN stuff back into userspace,
> and there are repercussions for that decision.
>
> I'm not saying this to be mean or whatever, but I was very
> disappointed when userland IPSEC solutions using TUN started showing
> up.
Yeah. That's a valid criticism of vpnc, certainly. I never did
understand why it reimplemented the IPSec stack.
For my OpenConnect client it's somewhat more justified though — the
initial data transport there is over TLS, which the kernel doesn't
support. And if we *can* establish UDP communication, that's over DTLS
which the kernel doesn't support either. It's not even the *standard*
version of DTLS because Cisco are still using a pre-RFC4347 version of
the protocol. And we also need to probe the UDP connectivity and do
keepalives and manage the fallback to using the TCP data transport.
It's not like vpnc where it really is just a case of setting up the ESP
context and letting it run.
It's only now I've added Juniper support, which uses ESP-in-UDP for the
data transport, that I'm doing something that the kernel supports at
all. And now I'm looking at how to make use of that.
> We might as well have not have implemented the IPSEC stack at all,
> because as a result of the userland VPN stuff our IPSEC stack is
> largely unused except by a very narrow group of users.
Well, I'd love to make better use of it if I can. I do suspect it makes
most sense for userspace to continue to manage the probing of UDP
connectivity, and the fallback to TCP mode — and I suspect it also makes
sense to continue to use tun for passing packets up to the VPN client
when it's using the TCP transport.
So the question would be how we handle redirecting the packet flow to
the optional UDP transport, when the VPN client determines that it's
available. For the sake of the user setting up firewall and routing
rules, I do think it's important that it continues to appear to
userspace as the *same* device for the entire lifetime of the session,
regardless of which transport the packets happen to be using at a given
moment in time. It doesn't *have* to be tun, though.
You don't seem to like my suggestion of somehow pushing down an XFRM
state to the tun device to direct the packets out there instead of up to
userspace. Do you have an alternative suggestion... or a specific
concern that would help me come up with something you like better?
I'm guessing you don't want to push the *whole* management of the TLS
control connection *and* the UDP transport, and probing the latter with
keepalives, into the kernel? I certainly don't :)
--
dwmw2
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5745 bytes --]
next prev parent reply other threads:[~2015-02-02 7:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-13 14:59 [PATCH] tun: orphan an skb on tx Michael S. Tsirkin
2010-04-13 15:12 ` Herbert Xu
2010-04-13 15:36 ` Jan Kiszka
2010-04-13 16:40 ` Eric Dumazet
2010-04-13 16:52 ` Jan Kiszka
2010-04-13 17:39 ` Michael S. Tsirkin
2010-04-13 18:31 ` Eric Dumazet
2010-04-13 20:25 ` Michael S. Tsirkin
2010-04-13 20:38 ` Eric Dumazet
2010-04-13 20:43 ` Michael S. Tsirkin
2010-04-14 0:58 ` Herbert Xu
2010-04-14 11:55 ` David Miller
2015-02-01 11:20 ` David Woodhouse
2015-02-01 12:26 ` Michael S. Tsirkin
2015-02-01 13:33 ` David Woodhouse
2015-02-01 20:19 ` David Miller
2015-02-01 21:29 ` David Woodhouse
2015-02-02 5:07 ` David Miller
2015-02-02 7:27 ` David Woodhouse [this message]
2015-02-02 8:24 ` Steffen Klassert
2015-02-02 15:30 ` David Woodhouse
2015-02-02 15:23 ` Phil Sutter
2015-02-02 15:47 ` David Woodhouse
2015-02-04 0:19 ` David Miller
2015-02-04 6:35 ` David Woodhouse
2021-06-25 15:56 ` Bringing the SSL VPN data path back in-kernel David Woodhouse
2010-04-21 11:35 ` [PATCH] tun: orphan an skb on tx Michael S. Tsirkin
2010-04-21 11:46 ` Jan Kiszka
2010-04-21 11:45 ` Michael S. Tsirkin
2010-04-21 19:16 ` [stable] " Greg KH
2010-09-14 15:20 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1422862030.11044.86.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=jan.kiszka@siemens.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).