First off, I'm behind on reading the design doc, and for that I apologize.
OTOH, I am one of the "IPsec guys" Darren refers to, so let me jump in
quickly.
On Mon, Oct 27, 2008 at 02:16:45PM -0700, Sangeeta Misra wrote:
> >>> Dropping fragmented packets is not acceptable. Talk to
> >>> the IPsec guys for some tips on mitigating this problem.
> >>> This will come back to bite us if it is implemented like
> >>> this.
> >>
> >>
> >> We are aware of several ways to handle this. But we
> >> opt to defer this. In practice, this should only affect
> >> UDP traffic. And not supporting fragment should not
> >> exclude the use of ILB for all UDP apps. So we leave
> >> this as an RFE for the next phase of the project.
> >
> > Correction: in theory this should only impact UDP traffic,
> > in practice it affects UDP *and* TCP traffic.
> >
> As Kacheong has mentioned handling of fragments will be done post Phase
> 1 delivery as an RFE.
Is this a design review or a code review? If the former, you should have
time to address this.
I don't know if you've all taken a look at the bottom bunch of functions in
$SRC/common/inet/ip/spd.c, but we have the "Fragment Cache" that used to live
in SunScreen. It's currently used for fragment caching and checking for
IPsec Tunnel Mode packets, but Paul (and he's the fragcache wizard) and I
have inspected the code and it wouldn't take TOO much to generalize it to
solve your ILB problems.
I've Bcc:ed Paul in case he wants to dive deeper, but ILB could:
* Split out the fragcache code into its own source file.
* Instantiate a fragcache_t whereever you need it. (After I review
the whole design doc, I may be able to tell you exactly where!)
* Use the fragcache code to solve your IP fragment problems.
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
