hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00182
One more thing about hipfw-performance
Things currently done by hipfw in userspace, other than dispatching (see
filter_esp_state()):
- validating esp_prot tokens
Should packets be forced into userspace when esp_prot is active?
- validating the esp seqno
Forging this isn't lucrative for attackers anyway, because the packet is
going to be discarded at the end-host. If someone was after DOS-ing the
middlebox, he'd be able to without sequence number trickery since an SA
has already been established at this point.
- updating connection timestamp
The timestamp isn't currently referenced in the code anyway.
Of course, these currently won't be done if dispatched by iptables.
Follow ups
References