From: "Ward, David - 0663 - MITLL" <david.ward@ll.mit.edu>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH net-next] xfrm: Call IP receive handler directly for inbound tunnel-mode packets
Date: Mon, 2 Jan 2012 14:52:36 -0500 [thread overview]
Message-ID: <4F020B04.9000104@ll.mit.edu> (raw)
In-Reply-To: <20120102072828.GA5380@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 2058 bytes --]
Hi Herbert,
On 01/02/2012 02:28 AM, Herbert Xu wrote:
> On Sun, Jan 01, 2012 at 10:32:34PM -0500, David Ward wrote:
>> For IPsec tunnel mode (or BEET mode), after inbound packets are xfrm'ed,
>> call the IPv4/IPv6 receive handler directly instead of calling netif_rx.
>> In addition to avoiding unneeded re-processing of the MAC layer, packets
>> will not be received a second time on network taps. (Note that outbound
>> packets are only received on network taps post-xfrm, but inbound packets
>> were being received both pre- and post-xfrm. So now network taps will
>> receive packets in either direction only once, in the form that they go
>> "over the wire".)
>>
>> Signed-off-by: David Ward<david.ward@ll.mit.edu>
>> Cc: Herbert Xu<herbert@gondor.apana.org.au>
> You can't do this as this may cause stack overruns if we nest
> too deeply.
Sorry if I'm missing something, but how are such overruns avoided on the
outbound side?
> Changing the existing tap processing behaviour will also break
> existing setups.
Assuming there might be a better way to make this change, are there
examples of existing setups that would be negatively affected? From my
perspective this behavior is just an unintended artifact of xfrm'ed
packets being placed back into netif_rx, which only occurs for inbound
packets, and it complicates the usage of network taps on these
interfaces (i.e. how do you systematically determine whether any packet
is post-xfrm and was already seen in an earlier form?). It seems to me
that network taps operate at a lower layer than xfrm, and so xfrm should
be invisible to the network taps. If users are, for example, capturing
ESP packets from a PF_PACKET socket and want to examine the decrypted
payload, I think the capture application should be responsible for the
decryption, just as it would be at higher layers with something like
SSL/TLS (and again for example, both protocols can be decrypted by
Wireshark when provided the keys).
I would appreciate your feedback.
David
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4558 bytes --]
next prev parent reply other threads:[~2012-01-02 19:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-02 3:32 [PATCH net-next] xfrm: Call IP receive handler directly for inbound tunnel-mode packets David Ward
2012-01-02 7:28 ` Herbert Xu
2012-01-02 8:18 ` Eric Dumazet
2012-01-03 17:56 ` David Miller
2012-01-02 19:52 ` Ward, David - 0663 - MITLL [this message]
2012-01-11 4:45 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F020B04.9000104@ll.mit.edu \
--to=david.ward@ll.mit.edu \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).