lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Jan 2009 08:53:47 -0800
From:	"Paul Moore" <paul.moore@...trify.com>
To:	"David Miller" <davem@...emloft.net>
Cc:	<netdev@...r.kernel.org>
Subject: RE: port bound SAs

my inspection of the code shows that the port numbers in the SA do not
get propagated into the right places
in transport mode linux is never aware of the port numbers 
racoon systematically zeros them out during SA setup, but even if i
correct the racoon code to put the port number in it still fails becuase
the port numbers get ignored by the kernel

-----Original Message-----
From: David Miller [mailto:davem@...emloft.net] 
Sent: Monday, January 26, 2009 10:21 PM
To: Paul Moore
Cc: netdev@...r.kernel.org
Subject: Re: port bound SAs

From: "Paul Moore" <paul.moore@...trify.com>
Date: Mon, 26 Jan 2009 11:21:33 -0800

> A few weeks ago I posted a question to the IETF IPsec group on this
> topic 
> 
> I have 2 SPDs declared saying (transport mode)
> 10.0.0.0/24 port 23 esp
> 10.0.0.0/24 port 80 esp
> 
> I then initiate a connection from that Linux machine to another system
> that has the same logical rules
> port 23 fires up and I get an SA pair. The question is - does that SA
> pair belong to port 23 or not
> If I now connect using port 80 from the same Linux box to the same
peer
> it tries to use the SA already set up for port 23
> The remote system (windows in my test case) drops the packets because
it
> believes that the SA is for port 23 traffic only

Why does the Linux system do this?  The route lookup should, as it's
final IPSEC route lookup action, do an xfrm policy lookup which should
do a selector match and thus not match the port 23 rule.

I can't find the code which would allow the sequence of events
you describe, can you?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ