From: Steffen Klassert <steffen.klassert@secunet.com>
To: Christophe Gouault <christophe.gouault@6wind.com>
Cc: Saurabh Mohan <saurabh.mohan@brocade.com>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Andrew Collins <bsderandrew@gmail.com>,
Fan Du <fan.du@windriver.com>
Subject: Re: [PATCH net v3] vti: fix spd lookup: match plaintext pkt, not ipsec pkt
Date: Thu, 21 Nov 2013 12:45:53 +0100 [thread overview]
Message-ID: <20131121114553.GC31491@secunet.com> (raw)
In-Reply-To: <528DDB5F.8080400@6wind.com>
On Thu, Nov 21, 2013 at 11:07:27AM +0100, Christophe Gouault wrote:
>
> But you can optionally apply differentiated policies within the same
> tunnel, by setting SPs with narrower selectors: according to the
> plaintext traffic that crosses the tunnel, you can request to use
> different protocols (esp/ah), different SAs, maybe drop some traffic.
This raises the question about the MTU of a vti device. If the SA
is not unique, it is not clear which MTU we should use for that device.
> Only ipsec tunnel mode and drop policies should be bound to a VTI interface.
>
> And the patch restores the SP semantics: the selector is used to match
> the plaintext traffic, not the IPsec encrypted traffic.
>
On the other hand, I've spend quite some time to figure out how
inter address family tunneling can work with vti devices. It
seems that we need plaintext matching to get this to work.
next prev parent reply other threads:[~2013-11-21 11:46 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-05 10:16 [PATCH net] vti: fix spd lookup: match plaintext pkt, not ipsec pkt Christophe Gouault
2013-11-05 13:05 ` Sergei Shtylyov
2013-11-05 14:31 ` Christophe Gouault
2013-11-05 15:58 ` [PATCH net v2] " Christophe Gouault
2013-11-05 17:01 ` Eric Dumazet
2013-11-05 17:24 ` Christophe Gouault
2013-11-06 8:05 ` [PATCH net v3] " Christophe Gouault
2013-11-07 11:25 ` Steffen Klassert
2013-11-07 12:55 ` Christophe Gouault
2013-11-08 11:01 ` Steffen Klassert
2013-11-08 17:45 ` David Miller
2013-11-18 21:38 ` Saurabh Mohan
2013-11-19 0:01 ` Andrew Collins
2013-11-19 9:16 ` Fan Du
2013-11-21 12:17 ` Steffen Klassert
2013-11-21 18:39 ` Saurabh Mohan
2013-11-24 10:21 ` Fan Du
2013-11-21 10:07 ` Christophe Gouault
2013-11-21 11:45 ` Steffen Klassert [this message]
2013-11-07 23:17 ` David Miller
2013-11-08 12:55 ` Christophe Gouault
2013-11-21 12:12 ` Steffen Klassert
2013-11-21 18:35 ` Saurabh Mohan
2013-11-22 14:33 ` Christophe Gouault
2013-12-03 7:55 ` Steffen Klassert
2013-12-03 9:01 ` Christophe Gouault
2013-12-03 9:39 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131121114553.GC31491@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=bsderandrew@gmail.com \
--cc=christophe.gouault@6wind.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=fan.du@windriver.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=saurabh.mohan@brocade.com \
--cc=sergei.shtylyov@cogentembedded.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).