Page MenuHomeFreeBSD

Add UDP encapsulation of ESP in IPv6
AbandonedPublic

Authored by allanjude on Nov 19 2019, 2:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 6:57 AM
Unknown Object (File)
Thu, Nov 14, 2:47 AM
Unknown Object (File)
Sun, Nov 10, 10:30 AM
Unknown Object (File)
Sun, Nov 10, 7:56 AM
Unknown Object (File)
Mon, Oct 28, 1:11 AM
Unknown Object (File)
Oct 8 2024, 5:41 AM
Unknown Object (File)
Sep 30 2024, 12:29 PM
Unknown Object (File)
Sep 24 2024, 10:04 AM

Details

Summary

This patch provides UDP encapsulation of ESP packets over IPv6.
It mostly consist of porting IPv4 code to IPv6 and adding support of IPv6 in udpencap.c
As required by the RFC and unlike in IPv4 encapsulation, UDP checksums are calculated

Sponsored by: Stormshield

Test Plan

After enabling UDP encapsulation, pings are correctly encapsulated in UDP, transfered and decapsulated on the other side of the tunnel

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

sys/netinet6/udp6_usrreq.c
171

I think this won't work if kernel was built without INET support.
I.e. we need to implement per-AF methods.

707

This ifdef looks useless, is it possible udp6_ctloutput() to be called without INET6?

sys/netipsec/ipsec_output.c
778

This also seems unneeded if we have NAT-T support for both AF.

sys/netipsec/udpencap.c
124

Without ifdefs this will lead to build failure for NOINET/NOINET6 builds. I think to reduce number of ifdes we can move ip/ip6 declarations to the switch (af) below.

326

It seems you didn't modified key_setnatt() to handle IPv6 addresses. Does it not needed? :)

I'll try to test this and commit with small modifications after weekend. Thanks!

Is this review still active? Would be useful functionality in some scenarios.