[support] XFRM

Jakub "Arkon" Syrek arkon at nast.pl
Mon Sep 8 17:51:20 JST 2008 

Sebastien thanks for help.
I got few more questions:
How can i figure out which policy is associated with which state?

I found code like this:
/* Create policy for all BUs with home flag NOT set to
  use home address option */
if (cn_wildrecv_bu_pol_add())
  return -1;

As i understand this comment mean that H bit in Binding Update (Mobility 
Header type 5) is set to 0?

set_selector(&in6addr_any, &in6addr_any, IPPROTO_MH,
       IP6_MH_TYPE_BU, 0, 0, &sel);
create_dstopt_tmpl(&tmpl, &in6addr_any, &in6addr_any);

return xfrm_mip_policy_add(&sel, 0, XFRM_POLICY_IN, XFRM_POLICY_ALLOW,
       MIP6_PRIO_RO_SIG_ANY, &tmpl, 1);

I understand that we add policy for any packet that has any src/dst ipv6 
address and contain mobility header type 5 (BU) but where we check H bit?
What does tmpl (template) stand for?

Regards
Kuba

----- Original Message ----- 
From: "Sebastien Decugis" <sdecugis at hongo.wide.ad.jp>
To: "Support ML" <support at ml.nautilus6.org>
Sent: Monday, September 08, 2008 4:25 AM
Subject: Re: [support] XFRM


> Hello Jakub,
>
> You best source to understand fully the XFRM code is to read the xfrm 
> sources in the kernel...
>
> First of all, you have several different kind of XFRM states/policies that 
> are installed in mip6d: ipsec, ro, destopt, udpencaps (dsmip)... The 
> selection of packets and the processing is different for each kind of 
> policies, so to better understand the mechanism it is better to 
> concentrate on one kind at a time.
>
> For an introduction to how the packets reach the XFRM code, I'll let you 
> read this mail sent previously on the dsmip mailing-list:
> http://ml.nautilus6.org/pipermail/dsmip/2008-July/000024.html
>
> As you probably have read in the daemon code, the states and policies are 
> installed through the netlink interface. In the kernel, the corresponding 
> code is in xfrm_user.c file.
>
> XFRM states are instances of a transformer, XFRM policies are selectors 
> that match packets and references the states. The logic is that when a 
> packet is processed (IN, OUT or FORWARD), the policies are looked up 
> (xfrm_lookup()) and the associated states are associated with the skb 
> object, then applied (I can't find where this is done right now).
>
> To answer your question, a policy always need a state associated, and this 
> state is added with xfrm_state_add() function. For some operations, the 
> state will contain informations needed for the transformation, and for 
> other operations the data can come from inside the packet for example.
>
> I hope this helps...
> Sebastien.
>
>
> Jakub "Arkon" Syrek a écrit :
>> Hi
>> I know that it may not be proper list but I am looking at xfrm.c source 
>> of mipl + nemo/MCoA support ..
>> I'm trying to figure out how setting XFRM in mipl  works but i can't.
>> I was googling all day today but found nothing about it.
>> I've found that xfrm_mip_policy_add() create some policy for packet by 
>> try to fit it to selector (ip, port, type etc.) but what xfrm_state_add() 
>> do? What happens than with this selected packet?
>> Can someone explain it to me, please?
>>
>> Regards
>> Jakub Syrek
>> _______________________________________________
>> Support mailing list
>> Support at ml.nautilus6.org
>> http://ml.nautilus6.org/mailman/listinfo/support
>>
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support

More information about the Support mailing list