Question about tunnels, IPsec and redirect
bill4carson at gmail.com
Sat Sep 28 22:23:37 EDT 2013
On 2013年09月26日 15:31, Kevin Wilson wrote:
> Of course.
> But the (unanswered) question is:
> when sp is non NULL and we are working with IPsec, why shoudn't we
> send redirect in such a case ?
Apologize for replying late.
I think you probably missing what "ICMP redirect" does, if so please
take a look at this link:
My understanding is:
If host is protected by gateway A using IPsec, even if a better routing for host is
gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect),
as IPsec policy is on gateway A only, not necessarily on gateway B.
I think this is scenario that the patch is try to describe.
> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson at gmail.com> wrote:
>> Hi Kevin
>> On 2013年09月25日 02:52, Kevin Wilson wrote:
>>> I am looking at this patch:
>>> and I cannot understand it. Can somebody please try
>>> to explain ?
>>> more specifically:
>>> Can somebody please give an example of some setup of IPsec tunnel
>>> where the ip_rt_send_redirect() method should not be called when the
>>> skb->sp is not NULL ?
>> + if (rt->rt_flags&RTCF_DOREDIRECT&& !opt->srr&& !skb->sp)
>> If IPsec policy is not enabled for a specific flow that this skb matches,
>> skb->sp is NULL.
>>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>>> redirect in such a case while forwarding a packet; note I am talking
>>> about IPv4)
>>> Note that the check for skb->sp was changed in recent kernels to
>>> skb_sec_path(skb), but it is essentially the same.
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
More information about the Kernelnewbies