tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec: stack problems
Le 01/03/2018 à 09:43, Joerg Sonnenberger a écrit :
On Thu, Mar 01, 2018 at 07:31:13AM +0100, Maxime Villard wrote:
I'm a little concerned about the stack usage in the IPsec code. Note that what
I'm talking about here occurs _after_ authentication.
I think that is a known design issue of the IPsec code. FreeBSD has been
talking about similar issues for years, too.
Typically, when an IPv4-AH packet is received, the code path is:
ip_input
(*pr_input) = ipsec_common_input
ah_input
crypto_dispatch
[several crypto functions are called]
ah_input_cb
ipsec4_common_input_cb
(*pr_input) = depends on the packet
I wonder if the best appoach wouldn't be to cut the stack at this point
and defer the packet back to a netisr.
Frank Kardel suggested the same thing (in an off-list email), here's my
answer to him. Basically I'm not sure if it breaks assumptions deep in the
opencrypto code.
Maxime
-------- Message transféré --------
Sujet : Re: IPsec: stack problems
Date : Thu, 1 Mar 2018 08:02:07 +0100
De : Maxime Villard <max%m00nbsd.net@localhost>
Pour : Frank Kardel <kardel%kardel.name@localhost>
Le 01/03/2018 à 07:45, Frank Kardel a écrit :
[...]
In fact, the crypto code was written with the assumption that when
crypto_dispatch returns, there is no further crypto processing.
If the packet is repushed, this assumption does not hold anymore, and I'm not
sure whether it wouldn't break things.
But otherwise yes, it would be nice to repush the packet.
Maxime
Home |
Main Index |
Thread Index |
Old Index