[support] XFRM

Sebastien Decugis sdecugis at hongo.wide.ad.jp
Tue Sep 9 10:19:54 JST 2008 

Hi,

See answers inline.

Jakub "Arkon" Syrek a écrit :
> Sebastien thanks for help.
> I got few more questions:
> How can i figure out which policy is associated with which state?
It's usually the "best match" I think, i.e. the most precise selector 
that match will be chosen. If no state is available, an "ACQUIRE" 
message is generated by the kernel on the netlink link to ask the 
application to create such a state. I believe this is how RO states are 
inserted.
>
> I found code like this:
> /* Create policy for all BUs with home flag NOT set to
>  use home address option */
> if (cn_wildrecv_bu_pol_add())
>  return -1;
>
> As i understand this comment mean that H bit in Binding Update 
> (Mobility Header type 5) is set to 0?
This policy is meant to handle incoming BU related to Route 
Optimization, i.e. with no H flag set. This one is installed in all 
peers that will act as a CN. For HA, another policy with greater 
priority is inserted later to handle the BU with the H flag set.

>
> set_selector(&in6addr_any, &in6addr_any, IPPROTO_MH,
>       IP6_MH_TYPE_BU, 0, 0, &sel);
> create_dstopt_tmpl(&tmpl, &in6addr_any, &in6addr_any);
>
> return xfrm_mip_policy_add(&sel, 0, XFRM_POLICY_IN, XFRM_POLICY_ALLOW,
>       MIP6_PRIO_RO_SIG_ANY, &tmpl, 1);
>
> I understand that we add policy for any packet that has any src/dst 
> ipv6 address and contain mobility header type 5 (BU) but where we 
> check H bit?
> What does tmpl (template) stand for?
You have to look inside the code of the xfrm_mip_policy_add function to 
understand this part, especially look at the generated netlink message. 
The content of the message will be like (sorry incomplete description 
here, just to give an idea)

buf {
struct nlmsg_hdr {
 type = XFRM_MSG_NEWPOLICY;
};
struct xfrm_userpolicy_info {
selector = (the any -> any, MH/BU selector);
priority = MIP6_PRIO_RO_SIG_ANY ( low priority );
}
...
}

Then you have to look in the kernel code, xfrm_user.c, to see how the 
content of this policy is used.

I hope this help. Sorry I don't have more precise information in my notes...

Sebastien.

>
> Regards
> Kuba
>
> ----- Original Message ----- From: "Sebastien Decugis" 
> <sdecugis at hongo.wide.ad.jp>
> To: "Support ML" <support at ml.nautilus6.org>
> Sent: Monday, September 08, 2008 4:25 AM
> Subject: Re: [support] XFRM
>
>
>> Hello Jakub,
>>
>> You best source to understand fully the XFRM code is to read the xfrm 
>> sources in the kernel...
>>
>> First of all, you have several different kind of XFRM states/policies 
>> that are installed in mip6d: ipsec, ro, destopt, udpencaps (dsmip)... 
>> The selection of packets and the processing is different for each 
>> kind of policies, so to better understand the mechanism it is better 
>> to concentrate on one kind at a time.
>>
>> For an introduction to how the packets reach the XFRM code, I'll let 
>> you read this mail sent previously on the dsmip mailing-list:
>> http://ml.nautilus6.org/pipermail/dsmip/2008-July/000024.html
>>
>> As you probably have read in the daemon code, the states and policies 
>> are installed through the netlink interface. In the kernel, the 
>> corresponding code is in xfrm_user.c file.
>>
>> XFRM states are instances of a transformer, XFRM policies are 
>> selectors that match packets and references the states. The logic is 
>> that when a packet is processed (IN, OUT or FORWARD), the policies 
>> are looked up (xfrm_lookup()) and the associated states are 
>> associated with the skb object, then applied (I can't find where this 
>> is done right now).
>>
>> To answer your question, a policy always need a state associated, and 
>> this state is added with xfrm_state_add() function. For some 
>> operations, the state will contain informations needed for the 
>> transformation, and for other operations the data can come from 
>> inside the packet for example.
>>
>> I hope this helps...
>> Sebastien.
>>
>>
>> Jakub "Arkon" Syrek a écrit :
>>> Hi
>>> I know that it may not be proper list but I am looking at xfrm.c 
>>> source of mipl + nemo/MCoA support ..
>>> I'm trying to figure out how setting XFRM in mipl  works but i can't.
>>> I was googling all day today but found nothing about it.
>>> I've found that xfrm_mip_policy_add() create some policy for packet 
>>> by try to fit it to selector (ip, port, type etc.) but what 
>>> xfrm_state_add() do? What happens than with this selected packet?
>>> Can someone explain it to me, please?
>>>
>>> Regards
>>> Jakub Syrek
>>> _______________________________________________
>>> Support mailing list
>>> Support at ml.nautilus6.org
>>> http://ml.nautilus6.org/mailman/listinfo/support
>>>
>> _______________________________________________
>> Support mailing list
>> Support at ml.nautilus6.org
>> http://ml.nautilus6.org/mailman/listinfo/support 
>
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
>

More information about the Support mailing list