On Wed, 22 Dec 2004 at 17:17, Kausty wrote: > > On Tue, 21 Dec 2004 10:52:22 -0800 (PST), Park Lee > <parklee_sel@xxxxxxxxx> wrote: > > Hi, > > We know that the output process of Linux native > > IPsec fully uses the XFRM architecture. The order > > of primal functions are xfrm_lookup(), > > xfrm_tmpl_resolve(), xfrm_bundle_create() and > > dst_output(). > > The input process for IPsec is more simple than > > output. The order of primal functions (in IPv4) > > are xfrm4_rcv(), xfrm4_rcv_encap(), > > xfrm4_parse_spi(), xfrm4_policy_check(). > > But, Why should the input process also go > > throught xfrm_lookup(), xfrm_tmpl_resolve(), > > xfrm_bundle_create()? What's the purpose of this? > > i havent gone through the code flow as u mentioned > but this is my general idea. > > these are generic lookup functions irrespective of > ipv6/v4. > the purpose is to ensure that all the SA's are > applied hence a bundle needs to be created > everytime a packet is recieved. > If no bundle is created then a seperate search > needs to be done for ESP/AH/Transport/Tunnel > > is this what u were looking for ?? Thanks. But, After a packet was received, It has already been processed by xfrm4_rcv(), xfrm4_rcv_encap(), ah_input(), esp_input(),etc. so, I think that there is no need to search(or created) a bundle everytime a packet is recieved, since it has already been processed. Am I right? ===== Best Regards, Park Lee __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
