lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071211213445.GA11887@hestia>
Date:	Tue, 11 Dec 2007 13:34:45 -0800
From:	Tyler Hicks <tyhicks@...edu>
To:	<netdev@...r.kernel.org>
CC:	<latten@...ibm.com>, <herbert@...dor.apana.org.au>,
	<davem@...emloft.net>
Subject: [IPSEC] RFC 4301 PFP Support

I'm working on adding populate from packet (PFP) support to the kernel,
as specified in RFC 4301.  While testing with openswan (2.4.9), I
noticed that the state selector values in the SAD were empty.  It seems
that when openswan sends a ALLOCSPI message, the kernel finds the larval
xfrm_state with selector fields filled in and passes it to openswan.
Openswan will then respond with an UPDSA message that includes an
xfrm_usersa_info that has empty selector values.  The kernel assumes
that these selector values are valid and deletes the larval SA and
inserts the new SA containing empty selectors.  We need SAs with valid
selectors in the SAD in order to implement PFP support.

Should we just use the larval selectors or should we assume that
openswan will begin to send valid selectors?  I asked for the openswan
dev's opinions and they referred me to Herbert Xu.  It seems as though
the correct solution would be for openswan to pass valid selectors in
UPDSA messages, even if it is the larval selectors we gave them.

On a side note, Joy Latten has reported to see the same behavior while
using ipsec-tools.

Thanks!

Tyler Hicks

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ