On Wed, Mar 08, 2006 at 08:02:36PM -0800, Sam Leffler wrote: [.....] > If I recall the IPIP handling is different from KAME because there is > support for IPIP encapsulation independent of the IPsec protocols while > KAME only handles IPIP as part of the ESP tunnel configuration. As to > overhead, in practice, at least back in 4.x where this work was > originally done, the netisr dispatch was effectively shortcircuited > because the dispatch was done from the netisr thread so the net cost was > a enqueue+dequeue of the packet. I'm not sure about extraneous trips > through ip_input or not stripping headers; this stuff used to work right > but I've not looked at the code in years.
There IS some code to remove the IPIP header, but it doesn't work. I just reported pr kern/94273 with a patch which solves it. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
