HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS308831

Change some IPsec structures.
rS308831
Actions

Description

Change some IPsec structures.

Change the fields order of struct secpolicyindex to match layout of
struct secasindex. Remove unused fields.

Change struct ipsecrequest. Remove most of fields and rwlock, keep
only secasindex selector and required level of IPsec transform.
Selector has src/dst addresses, security protocol (ESP/AH), IPsec
mode (transport/tunnel) and request id. This will help to go away
from nontrivial locking with IPSECREQUEST_LOCK().

Change struct secpolicy to keep ipsecrequests in the limited size
array of pointers and add tcount (transforms count) field to specify
number of transforms in the array. Limit maximum number of transforms
with IPSEC_MAXREQ macro (it is 4 for now).
Previously it was possible to specify unlimited number of IPsec
transforms that should be handled in a sequence (this also called
"SA bundle"). Actually such ability was not implemented in IPv6
code. Also modern IPsec RFC 4301 doesn't requires this support (p4.3).
From a practical point of view support too many ipsec request in a
chain also useless.
The main idea is that ipsecrequest just defines transforms that
we should do to conform to given security policy. Now we will not save
used by policy SA for each packet in the policy's ipsecrequest.
Instead we always will do new SA lookup and use the result as is.

Holding the IPSECREQUEST_LOCK probably had another purpose. TCP code
has used stored in ipsecrequest SA to determine the size consumed by
IPsec headers. We will use hdrsz field in struct inpcbpolicy for this
purpose.

Add two new LIST_ENTRY to struct secpolicy. idhash will be used
for fast SP lookup by id. drainq will be used by expiring code.

Introduce several new SP states:

  • IPSEC_SPSTATE_LARVAL will be used by SP added by SADB_X_SPDSETIDX message.
  • IPSEC_SPSTATE_PCB will be used by SP added by setsockopt() call.
  • IPSEC_SPSTATE_IFNET will be used by SP added by IPsec virtual tunneling interface.

Change struct inpcbpolicy. Now sp_in/sp_out fields can be used by
kernel to cache security policies used by packets that have inpcb.
In case when application set own security policy or configured IPsec
bypass, flags field will have correspondig value.
genid field will be used to check that SP pointer isn't expired.
hdrsz field will be used by TCP code to determine size of headers
consumed by IPsec.

Details

Provenance
aeAuthored on
Parents
rS308830: Make fdt_is_compatible a static function. It's only used in fdt_common.c.
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
projects/
ipsec/
sys/
netipsec/

rS308831

View Options

projects/ipsec/sys/netipsec/ipsec.h

Loading...
View Options

projects/ipsec/sys/netipsec/keydb.h

Loading...