On Thu, Aug 09, 2007 at 03:11:20PM -0500, Nicolas Williams wrote:
> > > - usr/src/uts/common/inet/ip/ip.c:7031,7045
> > >
> > > I gather that ESP-in-UDP is fairly costly -- we re-compute the IP
> > > header checksum for what appears to be purely local purposes only,
> > > and we move around the ESP payload (ovbcopy(), right?).
> >
> > It's not for local purposes if you follow the bouncing packet.
> > ip_proto_input() does the off-the-wire check. To be fair, I need only
> > recompute the checksum if it's really ESP-in-UDP (vs. a zero-SPI UDP
> > packet).
>
> That sounds "purely local" to me -- the IP hdr cksum should only be
> checked once, long before the ESP-in-UDP code path is ever reached.
>
> > Therefore, I'm moving the ip_csum_hdr() call into the if/else branch
> > specifically for ESP-in-UDP.
>
> Good catch.
Actually, I've done one better.
I've modified ip_proto_input(), which ignored the checksum computation for
looped-around IPsec packets, to also outright NOT PERFORM the checksum
computation when mctl_present (IPSEC_IN) is set. (I wonder if I should do
the same fix for ip_{udp,tcp,sctp}_input()?)
The webrev is now updated, too. I'm running a battery of regression tests to
make sure things are okay.
Webrev pointers, again, are:
http://cr.opensolaris.org/~danmcd/detangle/
and for usr/closed goodies (which haven't changed between then and now):
http://zhadum.east/~danmcd/detangle/
Networking types, PLEASE look at the ip_proto_input() changes, and if you
think they should ALSO go in ip_*_input() I can make it happen.
Thanks,
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
