The OpenBSD [1] mbuf_tags framework allows the kernel to attach arbitrary information to data packets as they flow through the network stack. This information is generally of two types: (i) a record of processing that has already been applied to the packet, e.g., the fact that a packet was encrypted under a particular IPsec [5] security association, or (ii) a ``reminder'' to perform some operation to the packet in the future, e.g., apply an encryption algorithm in software prior to transmitting the packet, if the outgoing interface does not provide integrated cryptographic facilities.
In the former case, the information is intended for consumption by the kernel itself (e.g., detecting whether a processing loop has occurred, to avoid resource exhaustion) or by a user-level process (e.g., exposing to a network daemon some IPsec-related information, indicating that a packet was protected by a particular security association). In the latter case (``reminders''), the information is intended for use by the lower levels of the network stack, e.g., device drivers that offer specific functionality, such as outgoing packet checksumming.
Although originally developed for use by the IPsec stack, mbuf_tags have been in use by several other network components, such as various pseudo-devices, the packet filtering (PF) engine, and some device drivers. The use of mbuf_tags by such diverse elements demonstrates their effectiveness and usefulness as tools for the kernel developer. This is underlined by their adoption in the FreeBSD kernel for use in the recently revised IPsec stack.
The purpose of this paper is to expose the mbuf_tags mechanism to the general kernel developer community, both to encourage wider use and to solicit improvements to its functionality. We believe that mbuf_tags offer a flexible and simple mechanism that enables several types of processing that were previously difficult or impossible to perform in the BSD network stack.
The remainder of this paper is organized as follows. Section 2 discusses the design rationale and presents the API itself in some detail. Section 3 discusses the various uses of the mbuf_tags in the OpenBSD network stack, and Section 4 discusses some of our future work plans. Section 5 concludes the paper.