lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 11 Jul 2017 16:58:16 +0530
From:   Balaji Foss <balajig.foss@...il.com>
To:     netdev@...r.kernel.org
Cc:     steffen.klassert@...unet.com,
        Herbert Xu <herbert@...dor.apana.org.au>
Subject: Re: Regarding xfrm state search with destination address as wildcard mask

Hi

Any help on this query is greatly appreciated.

Thanks,
  - Balaji

On Thu, Jul 6, 2017 at 12:21 PM, Balaji Foss <balajig.foss@...il.com> wrote:
> Hi All,
>
> Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel
> version 3.16.39.
> Requirement is to support IPsec encryption/authentication for ospfv3 traffic.
> As of now, this can be achieved by following set of SA and SP rules.
>
> ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport
> auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport
> auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode
> transport auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode
> transport auth "hmac(sha1)" 0x12345678123456781234567812345678
>
> ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto
> ospf priority 2147483648 tmpl  proto ah spi 0x401 mode transport level
> use
> ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto
> ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
> use
>
>
> One can notice that it needs four SA rules to achieve IPsec for single
> OSPF interface.
> Instead of these four rules, can we have a single rule with DIP as
> wild card mask and the xfrm state search as based on SPI ,family and
> proto alone?
>
> As of now, the API "__xfrm_state_lookup"  search based on
> SPI,family,proto and dest_addr.  Is there any way I can achieve the SA
> lookup without dest_addr and only with SPI,family and proto alone?
>
> Any help or pointers is greatly appreciated.
>
> Regards
> Bala

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ