Re: IPsec: stack problems

To: tech-net%netbsd.org@localhost
Subject: Re: IPsec: stack problems
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Thu, 1 Mar 2018 09:43:03 +0100

On Thu, Mar 01, 2018 at 07:31:13AM +0100, Maxime Villard wrote:
> I'm a little concerned about the stack usage in the IPsec code. Note that what
> I'm talking about here occurs _after_ authentication.

I think that is a known design issue of the IPsec code. FreeBSD has been
talking about similar issues for years, too.

> Typically, when an IPv4-AH packet is received, the code path is:
> 
> 	ip_input
> 	(*pr_input) = ipsec_common_input
> 	ah_input
> 	crypto_dispatch
> 	[several crypto functions are called]
> 	ah_input_cb
> 	ipsec4_common_input_cb
> 	(*pr_input) = depends on the packet

I wonder if the best appoach wouldn't be to cut the stack at this point
and defer the packet back to a netisr.

Joerg

Follow-Ups:
- Re: IPsec: stack problems
  - From: Maxime Villard

References:
- IPsec: stack problems
  - From: Maxime Villard

Prev by Date: IPsec: stack problems
Next by Date: Re: IPsec: stack problems
Previous by Thread: IPsec: stack problems
Next by Thread: Re: IPsec: stack problems
Indexes:

Home | Main Index | Thread Index | Old Index