lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Wed, 12 Dec 2007 21:52:56 +0800
From:	Herbert Xu <>
To:	Tyler Hicks <>
Cc:	linux netdev <>,
	David Miller <>,
	Joy Latten <>
Subject: Re: [PATCH] [IPSEC]: Add populate from packet (PFP) support

On Tue, Dec 11, 2007 at 07:23:52PM -0800, Tyler Hicks wrote:
> RFC 4301 requires us to associate each SPD entry with a set of flags to
> determine how to assign the selector values when creating a new SAD entry.
> Each selector in the new xfrm_state can either be assigned using the
> corresponding selector in the xfrm_policy or with the corresponding value
> in the flowi.  Prior to this patch, the fields in the flowi were always
> used.
> Signed-off-by: Tyler Hicks <>

Thanks for the patch Tyler!

I think the kernel is fine as it is.  What we're doing is generating
the most specific selector possible for the larval SA and which lets
the KM do whatever it wants.

What RFC 4301 is asking for is for the mature SAs to have their
selectors either populated from the policy or the packet.

So for PFP the KM should fill out its SA selector according to its
PFP flags.  In other words we don't need PFP flags in the kernel
at all.

> +	if (pol->flags & XFRM_POLICY_PFP_SPORT) {
> +		x-> = xfrm_flowi_sport(fl);
> +		x->sel.sport_mask = htons(0xffff);
> +	} else {
> +		x-> = pol->;
> +		x-> = pol->selector.sport_mask;

There's a typo here.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <>
Home Page:
PGP Key:
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists