← Back to team overview

hipl-core team mailing list archive

One more thing about hipfw-performance


Things currently done by hipfw in userspace, other than dispatching (see filter_esp_state()):

- validating esp_prot tokens
Should packets be forced into userspace when esp_prot is active?

- validating the esp seqno
Forging this isn't lucrative for attackers anyway, because the packet is going to be discarded at the end-host. If someone was after DOS-ing the middlebox, he'd be able to without sequence number trickery since an SA has already been established at this point.

- updating connection timestamp
The timestamp isn't currently referenced in the code anyway.

Of course, these currently won't be done if dispatched by iptables.

Follow ups