lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 22 Jan 2018 11:33:53 +0100 (CET)
From:   Marco Berizzi <pupilla@...ero.it>
To:     netdev@...r.kernel.org
Subject: esp spi incorrectly reported by ip -s x p

Hello everyone,

I'm running strongSwan 5.6.1 on linux-4.14.x (slackware 14.2 64bit)
with iproute 4.14.1

When I issue 'ip -x s p', I get this output:

src 10.180.0.0/16 dst 10.81.110.10/32 uid 0
        dir out action allow index 137 priority 375423 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2018-01-19 17:43:50 use 2018-01-19 17:47:25
        tmpl src 10.81.110.254 dst 10.81.110.10
                proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.81.110.10/32 dst 10.180.0.0/16 uid 0
        dir fwd action allow index 154 priority 375423 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2018-01-19 17:43:50 use -
        tmpl src 10.81.110.10 dst 10.81.110.254
                proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.81.110.10/32 dst 10.180.0.0/16 uid 0
        dir in action allow index 144 priority 375423 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
        tmpl src 10.81.110.10 dst 10.81.110.254
                proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

As you may see, the esp security parameter index is correctly reported
for the first policy, but is 0x00000000 for the other two entries.
The output from strongSwan 'ipsec statusall' instead show them correctly:

INSTALLED, TUNNEL, reqid 4, ESP SPIs: c16fd9e3_i 500e0603_o
3DES_CBC/HMAC_MD5_96/MODP_1024, 11180 bytes_i (215 pkts, 245s ago), 596700 bytes_o (459 pkts, 29s ago)
10.180.0.0/16 === 10.81.110.10/32

Also the output from 'ip -s x s' is reporting correctly the esp spi value:

src 10.81.110.254 dst 10.81.110.10
        proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel
        replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
        auth-trunc hmac(md5) 0x5b029bb432e892780c4d28a2c4f4253d (128 bits) 96
        enc cbc(des3_ede) 0x01cf85a8cc981a3abe5ae9173bd45abbeedfd8d80f176fe9 (192 bits)
        anti-replay context: seq 0x0, oseq 0x1cb, bitmap 0x00000000
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 4147(sec), hard 4800(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          596700(bytes), 459(packets)
          add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
        stats:
          replay-window 0 replay 0 failed 0
src 10.81.110.10 dst 10.81.110.254
        proto esp spi 0xc16fd9e3(3245332963) reqid 4(0x00000004) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        auth-trunc hmac(md5) 0x2354ae62bc484d3c3d9e13c9bae1fd66 (128 bits) 96
        enc cbc(des3_ede) 0x15fcba9ac7f78e9126b2394db6e7619ebe4bc27ace4d1603 (192 bits)
        anti-replay context: seq 0xda, oseq 0x0, bitmap 0xffffffff
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 3968(sec), hard 4800(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          11180(bytes), 215(packets)
          add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
        stats:
          replay-window 0 replay 0 failed 0

Kindly, I would like to ask if this is the expected behaviour.

Thanks in advance

Marco Berizzi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ