Commit Graph

12 Commits

Author SHA1 Message Date
itojun 9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun 23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun e485f6527e pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
(not normally visited - we have switched to m_pulldown.  just for completeness)
2000-09-18 22:18:00 +00:00
itojun 2af85c262b improve code sharing for esp_schedule(). add some diagnostics cases
for esp_cbc_{en,de}crypt().  sync with kame.
2000-08-29 11:32:21 +00:00
itojun bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun e6efb27c84 add missing splx, when outgoing interface queue is full on tunnelled
ESP packet output.  KAME PR 280.
2000-08-16 09:54:39 +00:00
itojun 0036ac92be clarify comment. from jhawk. sync with kame. 2000-07-30 04:33:34 +00:00
itojun 411ff12b27 pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun 65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
thorpej 1b8ede9f7c Import IPsec ESP from netbsd-cryptosrc-intl. 2000-06-14 19:39:42 +00:00