Dan McDonald wrote: >Hey folks! > >NOTE --> This is more the networking half of IPsec, but I'm Bcc:-ing > security-discuss for IPsec folks who hang out there exclusively. > >I put in Darren Moffat's (very sensible) request for local-port flexibility >in IPsec NAT-Traversal (in other words, you can encapsulate ESP-in-UDP with >ports other than 4500). > >It took a while to get it right, as well as to get the test environment (some >will-remain-undocumented in.iked changes in usr/closed) right. > >
I'm not sure I understand this. Are you saying that there have been changes made to in.iked that won't be documented, leaving this as an undocumented feature? >I now have a new public webrev: > > http://cr.opensolaris.org/~danmcd/detangle/ > >... > > 2.) UDP and IP performance folks --> am I slowing any UDP hotpaths > down? I was looking at using the conn_t's input function pointer > to reroute NAT-T sockets, but it seemed harder than it needed to > be. Maybe I'm missing something, but some of the options > processing happens in ip_fanout_udp_conn() or ip_udp_check() and > it seems I can't really do the zero-SPI stripping after those > functions. > > Well, in udp fanout, there's a new if() with a double pointer deref.... ip.c - 17933 - I prefer long winded if() clauses over clever tricks like this. Easier to read, easier to debug. Let the compiler worry about optimisations like this. Darren _______________________________________________ networking-discuss mailing list [email protected]
