xref: /openbsd-src/sys/netinet/ip_ecn.c (revision f2da64fbbbf1b03f09f390ab01267c93dfd77c4c) 
1 /*	$OpenBSD: ip_ecn.c,v 1.7 2014/12/19 17:14:40 tedu Exp $	*/
2 /*	$KAME: ip_ecn.c,v 1.9 2000/10/01 12:44:48 itojun Exp $	*/
3 
4 /*
5  * Copyright (C) 1999 WIDE Project.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  */
33 /*
34  * ECN consideration on tunnel ingress/egress operation.
35  * http://www.aciri.org/floyd/papers/draft-ipsec-ecn-00.txt
36  */
37 
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 
42 #include <netinet/in.h>
43 #include <netinet/ip.h>
44 
45 #ifdef INET6
46 #include <netinet/ip6.h>
47 #endif
48 
49 #include <netinet/ip_ecn.h>
50 
51 /*
52  * ECN and TOS (or TCLASS) processing rules at tunnel encapsulation and
53  * decapsulation from RFC3168:
54  *
55  *                      Outer Hdr at                 Inner Hdr at
56  *                      Encapsulator                 Decapsulator
57  *   Header fields:     --------------------         ------------
58  *     DS Field         copied from inner hdr        no change
59  *     ECN Field        constructed by (I)           constructed by (E)
60  *
61  * ECN_ALLOWED (full functionality):
62  *    (I) if the ECN field in the inner header is set to CE, then set the
63  *    ECN field in the outer header to ECT(0).
64  *    otherwise, copy the ECN field to the outer header.
65  *
66  *    (E) if the ECN field in the outer header is set to CE and the ECN
67  *    field of the inner header is not-ECT, drop the packet.
68  *    if the ECN field in the inner header is set to ECT(0) or ECT(1)
69  *    and the ECN field in the outer header is set to CE, then copy CE to
70  *    the inner header.  otherwise, make no change to the inner header.
71  *
72  * ECN_FORBIDDEN (limited functionality):
73  *    (I) set the ECN field to not-ECT in the outer header.
74  *
75  *    (E) if the ECN field in the outer header is set to CE, drop the packet.
76  *    otherwise, make no change to the ECN field in the inner header.
77  *
78  * the drop rule is for backward compatibility and protection against
79  * erasure of CE.
80  */
81 
82 /*
83  * modify outer ECN (TOS) field on ingress operation (tunnel encapsulation).
84  * call it after you've done the default initialization/copy for the outer.
85  */
86 void
87 ip_ecn_ingress(mode, outer, inner)
88 	int mode;
89 	u_int8_t *outer;
90 	u_int8_t *inner;
91 {
92 	if (!outer || !inner)
93 		panic("NULL pointer passed to ip_ecn_ingress");
94 
95 	*outer = *inner;
96 	switch (mode) {
97 	case ECN_ALLOWED:		/* ECN allowed */
98 	case ECN_ALLOWED_IPSEC:
99 		/*
100 		 * full-functionality: if the inner is CE, set ECT(0)
101 		 * to the outer.  otherwise, copy the ECN field.
102 		 */
103 		if ((*inner & IPTOS_ECN_MASK) == IPTOS_ECN_CE)
104 			*outer &= ~IPTOS_ECN_ECT1;
105 		break;
106 	case ECN_FORBIDDEN:		/* ECN forbidden */
107 		/*
108 		 * limited-functionality: set not-ECT to the outer
109 		 */
110 		*outer &= ~IPTOS_ECN_MASK;
111 		break;
112 	case ECN_NOCARE:	/* no consideration to ECN */
113 		break;
114 	}
115 }
116 
117 /*
118  * modify inner ECN (TOS) field on egress operation (tunnel decapsulation).
119  * call it after you've done the default initialization/copy for the inner.
120  * the caller should drop the packet if the return value is 0.
121  */
122 int
123 ip_ecn_egress(mode, outer, inner)
124 	int mode;
125 	u_int8_t *outer;
126 	u_int8_t *inner;
127 {
128 	if (!outer || !inner)
129 		panic("NULL pointer passed to ip_ecn_egress");
130 
131 	switch (mode) {
132 	case ECN_ALLOWED:
133 	case ECN_ALLOWED_IPSEC:
134 		/*
135 		 * full-functionality: if the outer is CE and the inner is
136 		 * not-ECT, should drop it.  otherwise, copy CE.
137 		 * However, according to RFC4301, we should just leave the
138 		 * inner as non-ECT for IPsec.
139 		 */
140 		if ((*outer & IPTOS_ECN_MASK) == IPTOS_ECN_CE) {
141 			if ((*inner & IPTOS_ECN_MASK) == IPTOS_ECN_NOTECT) {
142 				if (mode == ECN_ALLOWED_IPSEC)
143 					return (1);
144 				else
145 					return (0);
146 			}
147 			*inner |= IPTOS_ECN_CE;
148 		}
149 		break;
150 	case ECN_FORBIDDEN:		/* ECN forbidden */
151 		/*
152 		 * limited-functionality: if the outer is CE, should drop it.
153 		 * otherwise, leave the inner.
154 		 */
155 		if ((*outer & IPTOS_ECN_MASK) == IPTOS_ECN_CE)
156 			return (0);
157 		break;
158 	case ECN_NOCARE:	/* no consideration to ECN */
159 		break;
160 	}
161 	return (1);
162 }
163