Message ID | cover.1573487190.git.sd@queasysnail.net |
---|---|
Headers | show |
Series | ipsec: add TCP encapsulation support (RFC 8229) | expand |
From: Sabrina Dubroca <sd@queasysnail.net> Date: Tue, 12 Nov 2019 16:18:37 +0100 > This patchset introduces support for TCP encapsulation of IKE and ESP > messages, as defined by RFC 8229 [0]. It is an evolution of what > Herbert Xu proposed in January 2018 [1] that addresses the main > criticism against it, by not interfering with the TCP implementation > at all. The networking stack now has infrastructure for this: TCP ULPs > and Stream Parsers. > > The first patches are preparation and refactoring, and the final patch > adds the feature. > > The main omission in this submission is IPv6 support. ESP > encapsulation over UDP with IPv6 is currently not supported in the > kernel either, as UDP encapsulation is aimed at NAT traversal, and NAT > is not frequently used with IPv6. > > Some of the code is taken directly, or slightly modified, from Herbert > Xu's original submission [1]. The ULP and strparser pieces are > new. This work was presented and discussed at the IPsec workshop and > netdev 0x13 conference [2] in Prague, last March. > > [0] https://tools.ietf.org/html/rfc8229 > [1] https://patchwork.ozlabs.org/patch/859107/ > [2] https://netdevconf.org/0x13/session.html?talk-ipsec-encap ... This looks generally fine to me, and I assume Steffen will pick this up and integrate it into his ipsec-next tree. For the series: Acked-by: David S. Miller <davem@davemloft.net>
On Tue, Nov 12, 2019 at 04:18:37PM +0100, Sabrina Dubroca wrote: > This patchset introduces support for TCP encapsulation of IKE and ESP > messages, as defined by RFC 8229 [0]. It is an evolution of what > Herbert Xu proposed in January 2018 [1] that addresses the main > criticism against it, by not interfering with the TCP implementation > at all. The networking stack now has infrastructure for this: TCP ULPs > and Stream Parsers. > > The first patches are preparation and refactoring, and the final patch > adds the feature. > > The main omission in this submission is IPv6 support. ESP > encapsulation over UDP with IPv6 is currently not supported in the > kernel either, as UDP encapsulation is aimed at NAT traversal, and NAT > is not frequently used with IPv6. > > Some of the code is taken directly, or slightly modified, from Herbert > Xu's original submission [1]. The ULP and strparser pieces are > new. This work was presented and discussed at the IPsec workshop and > netdev 0x13 conference [2] in Prague, last March. > > [0] https://tools.ietf.org/html/rfc8229 > [1] https://patchwork.ozlabs.org/patch/859107/ > [2] https://netdevconf.org/0x13/session.html?talk-ipsec-encap The patchset does not apply anymore after updating the ipsec-next tree. Can you respin once again? I'll apply it right away then. Thanks!
2019-11-21, 06:51:51 +0100, Steffen Klassert wrote: > On Tue, Nov 12, 2019 at 04:18:37PM +0100, Sabrina Dubroca wrote: > > This patchset introduces support for TCP encapsulation of IKE and ESP > > messages, as defined by RFC 8229 [0]. It is an evolution of what > > Herbert Xu proposed in January 2018 [1] that addresses the main > > criticism against it, by not interfering with the TCP implementation > > at all. The networking stack now has infrastructure for this: TCP ULPs > > and Stream Parsers. > > > > The first patches are preparation and refactoring, and the final patch > > adds the feature. > > > > The main omission in this submission is IPv6 support. ESP > > encapsulation over UDP with IPv6 is currently not supported in the > > kernel either, as UDP encapsulation is aimed at NAT traversal, and NAT > > is not frequently used with IPv6. > > > > Some of the code is taken directly, or slightly modified, from Herbert > > Xu's original submission [1]. The ULP and strparser pieces are > > new. This work was presented and discussed at the IPsec workshop and > > netdev 0x13 conference [2] in Prague, last March. > > > > [0] https://tools.ietf.org/html/rfc8229 > > [1] https://patchwork.ozlabs.org/patch/859107/ > > [2] https://netdevconf.org/0x13/session.html?talk-ipsec-encap > > The patchset does not apply anymore after updating the > ipsec-next tree. Can you respin once again? > > I'll apply it right away then. > > Thanks! Ah, yes, that's the change Eric mentioned last week. I'll repost in a bit, thanks.