lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 21 Nov 2013 10:35:54 -0800
From:	Saurabh Mohan <saurabh.mohan@...cade.com>
To:	Steffen Klassert <steffen.klassert@...unet.com>,
	Christophe Gouault <christophe.gouault@...nd.com>,
	"Fan Du (fan.du@...driver.com)" <fan.du@...driver.com>
CC:	"David S. Miller" <davem@...emloft.net>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	Sergei Shtylyov <sergei.shtylyov@...entembedded.com>,
	Eric Dumazet <eric.dumazet@...il.com>
Subject: RE: [PATCH net v3] vti: fix spd lookup: match plaintext pkt, not
 ipsec pkt

> -----Original Message-----
> From: Steffen Klassert [mailto:steffen.klassert@...unet.com]
> Sent: Thursday, November 21, 2013 4:13 AM
> To: Christophe Gouault
> Cc: David S. Miller; Herbert Xu; netdev@...r.kernel.org; Saurabh Mohan;
> Sergei Shtylyov; Eric Dumazet
> Subject: Re: [PATCH net v3] vti: fix spd lookup: match plaintext pkt, not ipsec
> pkt
> 
> On Wed, Nov 06, 2013 at 09:05:53AM +0100, Christophe Gouault wrote:
> >
> > @@ -133,7 +134,13 @@ static int vti_rcv(struct sk_buff *skb)
> >  		 * only match policies with this mark.
> >  		 */
> >  		skb->mark = be32_to_cpu(tunnel->parms.o_key);
> > +		/* The packet is decrypted, but not yet decapsulated.
> > +		 * Temporarily make network_header point to the inner
> header
> > +		 * for policy check.
> > +		 */
> > +		skb_reset_network_header(skb);
> >  		ret = xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb);
> 
> If we do it like this, we would do an input policy check even for
> packets that should be forwarded. I think that's a bit odd.
> 
> If we really change to match plaintext traffic, we should do
> it like Fan Du proposed. Remove the policy check here and
> let the further layers do the policy enforcement. All we
> have to do is to set the skb mark, then the lookup should
> match the vti policy.
> 
> It is already clear that this packet was IPsec transformed
> when it enters vti_rcv, so deferring the policy check should
> be ok.

Agreed. The right thing to do here is apply the vti mark
and then let xfrm policy check match the clear packet with
the vti-mark on it.
The side-effect is that we'll lose the old mark.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ