summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_ipsp.c
AgeCommit message (Collapse)Author
2001-03-13Force a new search for an SA if the latched one is deleted.Angelos D. Keromytis
2001-03-04Store peer's credentials in TDB.Angelos D. Keromytis
2001-02-28Keep the last packet sent or received that matched an SPD entry, andAngelos D. Keromytis
retransmit if we eventually have an SA setup for that policy.
2000-12-28Remove unused and confusing reporting line.Angelos D. Keromytis
2000-12-24Extra argument in the function to tdb_walk(), indicating last TDB.Angelos D. Keromytis
2000-12-18Minor sanity check.Angelos D. Keromytis
2000-12-15send expire messages also for sa's that do not have been used.Niels Provos
okay angelos@
2000-09-19SA bundles.Angelos D. Keromytis
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-08-03Don't even need to reset ip_sum, if we're not going to compute it hereAngelos D. Keromytis
but in ip_output()
2000-08-03Avoid unnecessary call to in_cksum().Angelos D. Keromytis
2000-08-03Zeroize ip_sum before computing checksum (just general paranoia).Angelos D. Keromytis
2000-06-19IPv6 IPsec, outbound direction.Jun-ichiro itojun Hagino
restriction: if there's any extension header (except fragment) and outbound packet matches tdb, we can't encrypt it. packet will not go out of the node (dropped).
2000-06-18Correct function declaration.Angelos D. Keromytis
2000-06-18Pull in the right header for ip6_sprintf(), fix argument.Angelos D. Keromytis
2000-06-18Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()Angelos D. Keromytis
2000-06-18Print++Angelos D. Keromytis
2000-06-06Get rid of tdb_ref, keep indirect pointer to TDB.Angelos D. Keromytis
2000-06-01Fix the German's comment typos.Angelos D. Keromytis
2000-06-01Should learn how to count...Angelos D. Keromytis
2000-06-01Oops, remove bogus comment.Angelos D. Keromytis
2000-06-01Beautify a little bit.Angelos D. Keromytis
2000-06-01Use ipsp_spd_lookup() in ip_output()Angelos D. Keromytis
2000-06-01ipsp_acquire_sa()Angelos D. Keromytis
2000-06-01ipsp_spd_lookup()Angelos D. Keromytis
2000-04-19tdb_ref should be signed, this avoid a problem with flushing the TDBAngelos D. Keromytis
table causing repeated allocations of bypass TDBs.
2000-03-28Allow authentication-only ESP (must have broken it in the previousAngelos D. Keromytis
round of commits).
2000-03-28Set the protocol family in the destination address of bypass flows.Angelos D. Keromytis
2000-03-17Cryptographic services framework, and software "device driver". TheAngelos D. Keromytis
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
2000-02-09don't need netinet6/in6.hJun-ichiro itojun Hagino
2000-02-07fix include file path related to ip6.Jun-ichiro itojun Hagino
2000-01-27Merge "old" and "new" ESP and AH in two files (one for each).Angelos D. Keromytis
Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
2000-01-21Rename the ip4_* routines to ipip_*, make it so GIF tunnels are notAngelos D. Keromytis
affected by net.inet.ipip.allow (the sysctl formerly known as net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
2000-01-13Print number of ingress flows in /kern/ipsecAngelos D. Keromytis
2000-01-13put_flow(), find_flow(), and delete_flow() get a third argument (forAngelos D. Keromytis
ingress or egress flow)
2000-01-11Correct sa_require handling.Angelos D. Keromytis
2000-01-11Fix check for sen_type.Angelos D. Keromytis
2000-01-11Use default values when requesting dynamic VPNs.Angelos D. Keromytis
2000-01-11Only use defaults if they have sane values.Angelos D. Keromytis
2000-01-10Add 10 new ipsec-related sysctl variables...they are currently underAngelos D. Keromytis
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
2000-01-10Some more code for dealing with socket IPsec options.Angelos D. Keromytis
2000-01-10Only setup an expiration for embryonic SAs ifAngelos D. Keromytis
net.inet.ip.ipsec-invalid-life >=0
2000-01-10Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; theAngelos D. Keromytis
amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
2000-01-101) Setup a silent TDB expiration for embryonic SAs.Angelos D. Keromytis
2) Fix check_ipsec_policy() to deal with v6 PCBs. 3) Fix ACL protocol check.
2000-01-10Free ACL when deleting TDB.Angelos D. Keromytis
2000-01-09Ports in network order...Angelos D. Keromytis
1999-12-27Print associated interface, if present.Angelos D. Keromytis
1999-12-25Change some function prototypes, dont unnecessarily initialize someAngelos D. Keromytis
variables.
1999-12-25Move the IPsec packet-processing loop to a separate routine, so we canAngelos D. Keromytis
reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon.
1999-12-08comment out call to inet_ntoa6() as we don't have the code yet.Jun-ichiro itojun Hagino