lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 29 Jan 2010 10:03:03 +0800
From:	Wei Yongjun <yjwei@...fujitsu.com>
To:	nicolas.dichtel@....6wind.com
CC:	Vlad Yasevich <vladislav.yasevich@...com>,
	David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
	linux-sctp@...r.kernel.org
Subject: Re: [PATCH] sctp: IPsec rules are ineffective with ipv6

Nicolas Dichtel wrote:
> Hmm, seems to not work.
> Problem is that we may have a NULL saddr in sctp_v6_get_dst().
> What about adding a new handler in struct sctp_af, like get_xfrm_dst()
> that will be called after get_saddr()? In case of IPv4, it will not do
> anything.

This would work for transmit SCTP packet under IPSEC, the
problem is that we can not get the correct PMTU for the
transport.Under IPv4, both transmit and the PMTU is correct.

>
>
> Regards,
> Nicolas
>
> Le 28.01.2010 17:36, Vlad Yasevich a écrit :
>>
>> Nicolas Dichtel wrote:
>>> What about this one?
>>>
>>> Only compilation tested.
>>>
>>> xfrm_lookup() is missing in IPv6 output path. Call it when dst is
>>> build.
>>> Initial patch was written by Junwei Zhang <junwei.zhang@...nd.com>
>>>
>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>>
>> Looks like it might do the right thing.  Please run your tests
>> on this an let me.
>>
>> Thanks
>> -vlad
>>
>>> Le 28.01.2010 16:24, Vlad Yasevich a écrit :
>>>> David Miller wrote:
>>>>> From: Nicolas Dichtel <nicolas.dichtel@....6wind.com>
>>>>> Date: Wed, 27 Jan 2010 15:12:59 +0100
>>>>>
>>>>>> xfrm_lookup() is missing in sctp_v6_xmit(), add it.
>>>>>>
>>>>>> Signed-off-by: Junwei Zhang <junwei.zhang@...nd.com>
>>>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>>>>> Doing this every transmit packet is overkill.
>>>>>
>>>>> Whatever calculates the route that ends up in skb_dst(skb)
>>>>> should be making this xfrm_lookup() call, not here.
>>>>>
>>>>
>>>> Hmm.. Interesting.  Looks like ip_route_output_key() will
>>>> do xfrm_lookup for you, but there is no ipv6 route lookup call
>>>> that will do the same thing.
>>>>
>>>> I guess we'll need to add an xfrm_lookup call in sctp_v6_get_dst().
>>>>
>>>> -vlad
>>
>>
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ