Things currently done by hipfw in userspace, other than dispatching (see
filter_esp_state()):
- validating esp_prot tokens
Should packets be forced into userspace when esp_prot is active?
- validating the esp seqno
Forging this isn't lucrative for attackers anyway, because the packet is
going to be discarded at the end-host. If someone was after DOS-ing the
middlebox, he'd be able to without sequence number trickery since an SA
has already been established at this point.
- updating connection timestamp
The timestamp isn't currently referenced in the code anyway.
Of course, these currently won't be done if dispatched by iptables.
_______________________________________________
Mailing list: https://launchpad.net/~hipl-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~hipl-core
More help : https://help.launchpad.net/ListHelp
