[ovs-discuss] IPsec authentication headers and L4 matching

Saul St. John sstjohn at cs.wisc.edu
Thu Feb 7 23:23:40 UTC 2013


Hi!

I was reading DESIGN and lib/flow.c to try and better understand the 
behavior of Open vSwitch vis-a-vis IPsec authentication headers. It 
looks like IPsec Authentication Headers are basically ignored on IPv6 
packets when populating the 'flow' struct. As such, it would be possible 
to match against, for example, TCP src/dst ports in a packet with 
headers (IPv6, AH, TCP).

Couple of questions:

1) Is my understanding correct?

(Assuming it is...)

2) Is it possible to similarly ignore (transport-mode) AH in IPv4 
packets, or does the presence of an AH preclude matching against L4 ports?
3) Can the current behavior be reconciled with OF 1.3's IPv6 extension 
header handling, or will implementing that necessitate a breaking change?

Thanks!





More information about the discuss mailing list