hipl-core team mailing list archive

[Christof Mroz <christof.mroz@xxxxxxxxxxxxxx>]

Things currently done by hipfw in userspace, other than dispatching (see  
filter_esp_state()):

- validating esp_prot tokens
Should packets be forced into userspace when esp_prot is active?

- validating the esp seqno
Forging this isn't lucrative for attackers anyway, because the packet is  
going to be discarded at the end-host. If someone was after DOS-ing the  
middlebox, he'd be able to without sequence number trickery since an SA  
has already been established at this point.

- updating connection timestamp
The timestamp isn't currently referenced in the code anyway.

Of course, these currently won't be done if dispatched by iptables.