beet-patch-2.6.13.1

Host Identity Protocol on Linux is an implemetation of the Host Identity Protocol (HIP) and the rela

diff -urN linux-2.6.13.1/Documentation/networking/README.BEET beet-trunk/linux/Documentation/networking/README.BEET
--- linux-2.6.13.1/Documentation/networking/README.BEET	1970-01-01 02:00:00.000000000 +0200
+++ beet-trunk/linux/Documentation/networking/README.BEET	2005-09-26 16:10:15.000000000 +0300
@@ -0,0 +1,150 @@
+Linux BEET-mode patch
+
+Authors:	Abhinav Pathak <abpathak@iitk.ac.in>
+		Diego Beltrami <diego.beltrami@gmail.com>
+		Miika Komu <miika@iki.fi>
+		Kristian Slavov <kristian.slavov@nomadiclab.com>
+		Jeff Ahrenholz <jeffrey.m.ahrenholz@boeing.com>
+
+
+Changelog:	May 25, 2005 this document created
+
+
+Description
+-----------
+This patch extends the native Linux 2.6 kernel IPsec to support 
+Bound-End-to-End-Tunnel (BEET) mode:
+
+Abstract
+
+   This document specifies a new mode, called Bound End-to-End Tunnel
+   (BEET) mode, for IPsec ESP.  The new mode augments the existing ESP
+   tunnel and transport modes.  For end-to-end tunnels, the new mode
+   provides limited tunnel mode semantics without the regular tunnel
+   mode overhead.  The mode is intended to support new uses of ESP,
+   including mobility and multi-address multi-homing.
+
+http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-03.txt
+
+Data Structures
+---------------
+
+* policy = inner = selector.family
+* SA = outer = props.family
+
+About protocol support
+----------------------
+
+The BEET mode supports both ESP and AH (IPComp is not meant to work alone with
+BEET because there is lack of information of xfrm_state: IPComp does not
+compress packets whose size is less than a certain threshold -see RFC 2394-).
+
+This patch allows only for plain family transform, meaning the inner and outer 
+families are the same.
+A second patch which deals with different family will be created.
+
+
+Packet en/decapsulation
+-----------------------
+
+Note: the family of the xfrm function in the input side is
+different. For example, in the inner=4, outer=6 case, xfrm4_output is
+called (because the socket is IPv4 socket) on the output side, and
+xfrm6_rcv_encap() is called on the input side (because the packet
+received is an IPv6 packet).
+
+
+****** OUTPUT ******
+
+When entering xfrm[4-6]_output() the packet is:
+
+	---------------------
+	|IP Hdr|     |      |
+	|INNER | TCP | Data |
+	---------------------
+		  |
+		  |
+	    xfrm[4-6]_encap()
+		  |
+		  |
+		  V
+	------------------------------
+	|IP Hdr|        |     |      |
+	|INNER |        | TCP | Data |
+	------------------------------
+		  |
+		  |
+       changing the IP hdr inner->outer
+		  |
+		  |
+		  V
+	------------------------------
+	|IP Hdr|        |     |      |
+	|OUTER |        | TCP | Data |
+	------------------------------
+		  |
+		  |
+		  |
+	   x->type->output()
+		  |
+		  |
+		  V
+	-------------------------------------------
+	|IP Hdr| ESP or |     |      | ESP   | ESP|
+	|INNER | AH hdr | TCP | Data |Trailer|Auth|
+	-------------------------------------------
+		  |                  |<---------->|
+		  |                    only if ESP is used
+		  |
+		  V
+	    packet to be sent
+
+
+
+****** INPUT ******
+
+The packet is received and the function xfrm[4-6]_rcv_encap() is invoked.
+The received packet is in the same format as it has been sent:
+
+	-------------------------------------------
+	|IP Hdr| ESP or |     |      | ESP   | ESP|
+	|OUTER | AH hdr | TCP | Data |Trailer|Auth|
+	-------------------------------------------
+		  |                  |<---------->|
+		  |                    only if ESP is used
+		  |
+       	      x->type->input()
+		  |
+		  |
+		  V
+	---------------------
+	|IP Hdr|     |      |
+	|OUTER | TCP | Data |
+	---------------------
+		  |
+		  |
+	 if mode==BEET the IP hdr is pushed
+	 (the length field is correctly readjusted and
+	  in case of IPv4 the checksum is properly set)
+		  |
+		  |
+		  V
+	------------------------------
+	|IP Hdr|        |     |      |
+	|INNER |        | TCP | Data |
+	------------------------------
+		  |
+		  |
+       	   Changing IPHdr outer->inner
+		  |
+		  |
+		  V
+	---------------------
+	|IP Hdr|     |      |
+	|INNER | TCP | Data |
+	---------------------
+		  |
+		  |
+		  |
+		  V
+	      netif_rx()
diff -urN linux-2.6.13.1/include/linux/ipsec.h beet-trunk/linux/include/linux/ipsec.h
--- linux-2.6.13.1/include/linux/ipsec.h	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/include/linux/ipsec.h	2005-09-26 16:09:06.000000000 +0300
@@ -12,7 +12,8 @@
 enum {
 	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */
 	IPSEC_MODE_TRANSPORT	= 1,
-	IPSEC_MODE_TUNNEL	= 2
+	IPSEC_MODE_TUNNEL	= 2,
+	IPSEC_MODE_BEET         = 3
 };
 
 enum {
diff -urN linux-2.6.13.1/include/linux/xfrm.h beet-trunk/linux/include/linux/xfrm.h
--- linux-2.6.13.1/include/linux/xfrm.h	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/include/linux/xfrm.h	2005-09-26 16:09:02.000000000 +0300
@@ -102,6 +102,13 @@
 	XFRM_SHARE_UNIQUE	/* Use once */
 };
 
+enum
+{
+	XFRM_MODE_TRANSPORT = 0,
+	XFRM_MODE_TUNNEL,
+	XFRM_MODE_BEET
+};
+
 /* Netlink configuration messages.  */
 enum {
 	XFRM_MSG_BASE = 0x10,
diff -urN linux-2.6.13.1/net/ipv4/ah4.c beet-trunk/linux/net/ipv4/ah4.c
--- linux-2.6.13.1/net/ipv4/ah4.c	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/net/ipv4/ah4.c	2005-09-26 16:09:31.000000000 +0300
@@ -255,7 +255,7 @@
 		goto error;
 	
 	x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) + ahp->icv_trunc_len);
-	if (x->props.mode)
+	if (x->props.mode == XFRM_MODE_TUNNEL)
 		x->props.header_len += sizeof(struct iphdr);
 	x->data = ahp;
 
diff -urN linux-2.6.13.1/net/ipv4/esp4.c beet-trunk/linux/net/ipv4/esp4.c
--- linux-2.6.13.1/net/ipv4/esp4.c	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/net/ipv4/esp4.c	2005-09-26 16:09:32.000000000 +0300
@@ -306,7 +306,7 @@
 	struct esp_data *esp = x->data;
 	u32 blksize = crypto_tfm_alg_blocksize(esp->conf.tfm);
 
-	if (x->props.mode) {
+	if (x->props.mode == XFRM_MODE_TUNNEL) {
 		mtu = (mtu + 2 + blksize-1)&~(blksize-1);
 	} else {
 		/* The worst case. */
@@ -428,7 +428,7 @@
 	if (crypto_cipher_setkey(esp->conf.tfm, esp->conf.key, esp->conf.key_len))
 		goto error;
 	x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen;
-	if (x->props.mode)
+	if (x->props.mode == XFRM_MODE_TUNNEL)
 		x->props.header_len += sizeof(struct iphdr);
 	if (x->encap) {
 		struct xfrm_encap_tmpl *encap = x->encap;
diff -urN linux-2.6.13.1/net/ipv4/ipcomp.c beet-trunk/linux/net/ipv4/ipcomp.c
--- linux-2.6.13.1/net/ipv4/ipcomp.c	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/net/ipv4/ipcomp.c	2005-09-26 16:09:32.000000000 +0300
@@ -437,7 +437,7 @@
 
 	memset(ipcd, 0, sizeof(*ipcd));
 	x->props.header_len = 0;
-	if (x->props.mode)
+	if (x->props.mode == XFRM_MODE_TUNNEL)
 		x->props.header_len += sizeof(struct iphdr);
 
 	down(&ipcomp_resource_sem);
@@ -449,7 +449,7 @@
 		goto error;
 	up(&ipcomp_resource_sem);
 
-	if (x->props.mode) {
+	if (x->props.mode == XFRM_MODE_TUNNEL) {
 		err = ipcomp_tunnel_attach(x);
 		if (err)
 			goto error_tunnel;
diff -urN linux-2.6.13.1/net/ipv4/xfrm4_input.c beet-trunk/linux/net/ipv4/xfrm4_input.c
--- linux-2.6.13.1/net/ipv4/xfrm4_input.c	2005-09-10 05:42:58.000000000 +0300
+++ beet-trunk/linux/net/ipv4/xfrm4_input.c	2005-09-26 16:09:32.000000000 +0300
@@ -96,7 +96,7 @@
 
 		iph = skb->nh.iph;
 
-		if (x->props.mode) {
+		if (x->props.mode == XFRM_MODE_TUNNEL) {
 			if (iph->protocol != IPPROTO_IPIP)
 				goto drop;
 			if (!pskb_may_pull(skb, sizeof(struct iphdr)))
@@ -114,6 +114,29 @@
 			memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
 			decaps = 1;
 			break;
+		} else if (x->props.mode == XFRM_MODE_BEET) {
+			int size = sizeof(struct iphdr);
+			if (skb_cloned(skb) &&
+			    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+				goto drop;
+
+			skb_push(skb, size);
+			memmove(skb->data, skb->nh.raw, size);
+			skb->nh.raw = skb->data;
+
+			if (x->sel.family == AF_INET) {
+				struct iphdr *iph = skb->nh.iph;
+				iph = skb->nh.iph;
+				iph->tot_len = htons(skb->len);
+				iph->daddr = x->sel.daddr.a4;
+				iph->saddr = x->sel.saddr.a4;
+				iph->check = 0;
+				iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
+				skb->protocol = htons(ETH_P_IP);
+			} else