| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Jan 2009 22:20:35 -0800 (PST) From: David Miller <davem@...emloft.net> To: paul.moore@...trify.com Cc: netdev@...r.kernel.org Subject: Re: port bound SAs From: "Paul Moore" <paul.moore@...trify.com> Date: Mon, 26 Jan 2009 11:21:33 -0800 > A few weeks ago I posted a question to the IETF IPsec group on this > topic > > I have 2 SPDs declared saying (transport mode) > 10.0.0.0/24 port 23 esp > 10.0.0.0/24 port 80 esp > > I then initiate a connection from that Linux machine to another system > that has the same logical rules > port 23 fires up and I get an SA pair. The question is - does that SA > pair belong to port 23 or not > If I now connect using port 80 from the same Linux box to the same peer > it tries to use the SA already set up for port 23 > The remote system (windows in my test case) drops the packets because it > believes that the SA is for port 23 traffic only Why does the Linux system do this? The route lookup should, as it's final IPSEC route lookup action, do an xfrm policy lookup which should do a selector match and thus not match the port 23 rule. I can't find the code which would allow the sequence of events you describe, can you? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists