[ovs-discuss] IPsec authentication headers and L4 matching

Jesse Gross jesse at nicira.com
Sat Feb 9 04:04:15 UTC 2013


On Fri, Feb 8, 2013 at 3:41 PM, Saul St. John <sstjohn at cs.wisc.edu> wrote:
> On 02/07/2013 07:12 PM, Jesse Gross wrote:
>>
>> On Thu, Feb 7, 2013 at 3:23 PM, Saul St. John<sstjohn at cs.wisc.edu>  wrote:
>>>
>>> 2) Is it possible to similarly ignore (transport-mode) AH in IPv4
>>> packets,
>>>
>>> or does the presence of an AH preclude matching against L4 ports?
>>
>> It should be possible although the case for it is less clear since
>> with IPv6 the extension headers are part of the L3 header, where as in
>> IPv4 they are acting like an L4 header.
>
> For transport mode AH, is that a real distinction, or just a semantic kludge
> around IPv4 not defining an extension header mechanism? After all, as
> RFC4302 states, "In the IPv6 context, AH is viewed as an end-to-end
> payload".

It's definitely a kludge and technically a violation of how IPv6
packets are supposed to be parsed.  However, as far as defining a
general framework goes without calling out specific protocols, I think
it more or less matches what most people are looking for.

>> As a result, if we went down
>> this path and started adding protocols to skip it would change
>> behavior over time.
>
> Sorry, I wasn't clear. I was asking whether this was possible with Open
> vSwitch as currently written. I gather it's not.

No, it's not.

>>> 3) Can the current behavior be reconciled with OF 1.3's IPv6 extension
>>> header handling, or will implementing that necessitate a breaking change?
>>
>> I don't think it is a problem to add support for OpenFlow's extension
>> header support since that essentially appears as a extra field that is
>> a mask of the headers skipped.
>
> So, the first time I read the OF 1.3 spec, I came away with the impression
> that to skip extension headers like this, you'd need to have an
> OFPAT_SET_FIELD action that cleared the OFPIEH_AUTH bit from the
> OXM_OF_IPV6_EXTHDR.
>
> That's (clearly) insane, and I understand better now, but I'm left sorta
> curious what that action should even do... :-)

I believe that the intention of the OpenFlow spec for parsing is
pretty similar to the OVS model (plus the extra field that I
mentioned).  My guess is that clearing bits from the extension header
is unlikely to be supported on any switch.



More information about the discuss mailing list