[support] XFRM

Sebastien Decugis sdecugis at hongo.wide.ad.jp
Mon Sep 8 11:25:51 JST 2008 

Hello Jakub,

You best source to understand fully the XFRM code is to read the xfrm 
sources in the kernel...

First of all, you have several different kind of XFRM states/policies 
that are installed in mip6d: ipsec, ro, destopt, udpencaps (dsmip)... 
The selection of packets and the processing is different for each kind 
of policies, so to better understand the mechanism it is better to 
concentrate on one kind at a time.

For an introduction to how the packets reach the XFRM code, I'll let you 
read this mail sent previously on the dsmip mailing-list:
http://ml.nautilus6.org/pipermail/dsmip/2008-July/000024.html

As you probably have read in the daemon code, the states and policies 
are installed through the netlink interface. In the kernel, the 
corresponding code is in xfrm_user.c file.

XFRM states are instances of a transformer, XFRM policies are selectors 
that match packets and references the states. The logic is that when a 
packet is processed (IN, OUT or FORWARD), the policies are looked up 
(xfrm_lookup()) and the associated states are associated with the skb 
object, then applied (I can't find where this is done right now).

To answer your question, a policy always need a state associated, and 
this state is added with xfrm_state_add() function. For some operations, 
the state will contain informations needed for the transformation, and 
for other operations the data can come from inside the packet for example.

I hope this helps...
Sebastien.


Jakub "Arkon" Syrek a écrit :
> Hi
> I know that it may not be proper list but I am looking at xfrm.c 
> source of mipl + nemo/MCoA support ..
> I'm trying to figure out how setting XFRM in mipl  works but i can't.
> I was googling all day today but found nothing about it.
> I've found that xfrm_mip_policy_add() create some policy for packet by 
> try to fit it to selector (ip, port, type etc.) but what 
> xfrm_state_add() do? What happens than with this selected packet?
> Can someone explain it to me, please?
>
> Regards
> Jakub Syrek
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
>

More information about the Support mailing list