From: Lorenzo Colitti <lorenzo@google.com>
To: netdev@vger.kernel.org
Cc: steffen.klassert@secunet.com, subashab@codeaurora.org,
nharold@google.com
Subject: [RFC ipsec-next 0/4]: Support multiple VTIs with the same src+dst pair
Date: Tue, 19 Dec 2017 01:16:52 +0900 [thread overview]
Message-ID: <20171218161656.40618-1-lorenzo@google.com> (raw)
When using IPsec tunnel mode, VTIs provide many benefits compared
to direct configuration of xfrm policies / states. However, one
limitation is that there can only be one VTI between a given pair
of IP addresses. This does not allow configuring multiple IPsec
tunnels to the same security gateway. This is required by some
deployments, for example I-WLAN [3GPP TS 24.327].
This patchset introduces a new VTI_KEYED flag that allows
configuration of multiple VTIs between the same IP address
pairs. The output path is the same as current VTI behaviour,
where a routing lookup selects a VTI interface, and the VTI's
okey specifies the mark to use in the XFRM lookup. The input and
ICMP error paths instead work by first looking up an SA with a
loose match that ignores the mark. That mark is then used to find
the tunnel by ikey.
This approach is simple and requires few userspace changes, but
it has one limitation in that ICMP errors received in response to
VTI-emitted packets can only be processed if the VTI's ikey and
okey are the same. This limitation could be lifted by introducing
another XFRM mark, similar to XFRMA_OUTPUT_MARK, but used for
input.
next reply other threads:[~2017-12-18 16:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 16:16 Lorenzo Colitti [this message]
2017-12-18 16:16 ` [RFC ipsec-next 1/4] met: xfrm: Add an xfrm lookup that ignores the mark Lorenzo Colitti
2017-12-18 16:16 ` [RFC ipsec-next 2/4] net: xfrm: find VTI interfaces from xfrm_input Lorenzo Colitti
2017-12-18 16:16 ` [RFC ipsec-next 3/4] net: xfrm: support multiple VTI tunnels Lorenzo Colitti
2017-12-18 17:56 ` David Miller
2017-12-20 17:12 ` Lorenzo Colitti
2017-12-18 16:16 ` [RFC ipsec-next 4/4] net: xfrm: don't pass tunnel objects to xfrm6_rcv_spi Lorenzo Colitti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171218161656.40618-1-lorenzo@google.com \
--to=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=nharold@google.com \
--cc=steffen.klassert@secunet.com \
--cc=subashab@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox