-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Paul" == Paul Wouters
<paulxelerance.com> writes:
Paul> The cards cannot and should not rewrite ipsec
packets. Any
Paul> change will break the authenticity of the
packet. IPsec
Paul> protects against packet rewriting, whether it
is done by the
Paul> good or the bad guys.
It is possible that the flag in the SKB that says to do
the offload is
not getting cleared by KLIPS.
Paul> Note that I said "ipsec packets". I
menat protocol 50 and
Paul> 51. If we are talking about NAT-T poackets, eg
ESPinUDP
Paul> packets, then it should be possible to do
hardware offloading
Paul> of the outer UDP packet. What packets did you
see this
Paul> behaviour for?
We set the UDP checksum to 0 on NAT-T packets. UDP
checksum is a waste
of time, when we have the HMAC to authenticate the data.
- --
] ON HUMILITY: to err is human. To moo, bovine.
| firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON
|net architect[
] mcrxelerance.com http://www.san
delman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel
hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBQ7wDGoCLcPvd0N1lAQLD/Qf+Pgz6kWmjFQ/CV5SpnTUkUkxXT9rd
/PzM
/PQoElARSCeKPjzx069RC9tL4fF7A24I7PT5o10jbAmXXD7efKRG32ZfJutP
UzxJ
qPjGV4U8phXJSoxwdXUjdQV4Ueo946RByTBrOiKd5kEogt3Otv9J6TJ/SNjr
ZWPh
dVhfOIctHP5bdNaPvyk6ooSiKu6CC8OPE1BIV2EGljscJ7B3iPQO3lOfEOdz
Nnvk
HZgJ7ryKmVoGDZ3sXHsPn9Jp0CwY5Ed32iesQyTC5aqfY5RvlQuZ2aJwZHJN
2S15
L3PXDfHGv0wmjRU+76CEDiAB01DczZ04PZ/zGO4v956orpGvpxvmIQ==
=SJAq
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
2006-01-04 19:14:00
On Wed, 4 Jan 2006, Michael Richardson wrote:
> Paul> The cards cannot and should not rewrite
ipsec packets. Any
> Paul> change will break the authenticity of the
packet. IPsec
> Paul> protects against packet rewriting, whether
it is done by the
> Paul> good or the bad guys.
>
> It is possible that the flag in the SKB that says to
do the offload is
> not getting cleared by KLIPS.
Ok, added this pointer to a bug report to make sure.
> Paul> Note that I said "ipsec
packets". I menat protocol 50 and
> Paul> 51. If we are talking about NAT-T
poackets, eg ESPinUDP
> Paul> packets, then it should be possible to do
hardware offloading
> Paul> of the outer UDP packet. What packets did
you see this
> Paul> behaviour for?
>
> We set the UDP checksum to 0 on NAT-T packets. UDP
checksum is a waste
> of time, when we have the HMAC to authenticate the
data.
but doesn't that make the packet 'invalid' to any router
that might check
the checksum? What do the RFCs say? When should you do
checksum verification?
Or did you mean klips sets it to 0, and its up to the kernel
to fill it in before
sending?
Paul
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
xelerance.com> writes:
Paul> The cards cannot and should not rewrite ipsec
packets. Any
Paul> change will break the authenticity of the
packet. IPsec
Paul> protects against packet rewriting, whether it
is done by the
Paul> good or the bad guys.
It is possible that the flag in the SKB that says to do
the offload is
not getting cleared by KLIPS.
Paul> Note that I said "ipsec packets". I
menat protocol 50 and
Paul> 51. If we are talking about NAT-T poackets, eg
ESPinUDP
Paul> packets, then it should be possible to do
hardware offloading
Paul> of the outer UDP packet. What packets did you
see this
Paul> behaviour for?
We set the UDP checksum to 0 on NAT-T packets. UDP
checksum is a waste
of time, when we have the HMAC to authenticate the data.
- --
] ON HUMILITY: to err is human. To moo, bovine.
| firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON
|net architect[
] mcr