lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 07 Mar 2008 15:32:09 +0900
From:	Kazunori MIYAZAWA <kazunori@...azawa.org>
To:	David Miller <davem@...emloft.net>
CC:	netdev@...r.kernel.org, usagi-core@...ux-ipv6.org
Subject: Re: [PATCH][IPSEC] inter address family IPsec tunnel on the fly

Thank you for reviewing the patch,

David Miller wrote:
> From: Kazunori MIYAZAWA <kazunori@...azawa.org>
> Date: Wed, 5 Mar 2008 21:37:27 +0900
> 
>> Hello David,
> 
> Hello,
> 
>> This patch fix inter address family ipsec tunneling
>> when we install IPsec SA via PF_KEY interface
>> because there are no interface to set the selector.
>>
>> This patch is for net-2.6
>>
>> Signed-off-by: Kazunori MIYAZAWA <miyazawa@...ux-ipv6.org>
>> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
> 
> It seems quite excessive to grab and release the module reference
> count during every packet input/output which happens through IPSEC
> tunnels.
> 
> The whole reason we store the mode information in the state is so that
> we only have to grab the reference during IPSEC rule addition, instead
> of during packet processing.
> 
> Having to export xfrm_mode_{get,put} from xfrm_state.c is a sure
> sign of trouble :-)
> 

At the beginning I tried to implement inter address tunnel mode module.
However it was complicated and I gave up it because I could not send
the patches before next release.

Should we give up configure a tunnel mode xfrm_state which has no
selector? If so, we may need to extend PF_KEYv2 interface to set
the selector.

> Is there some way we can simply propagate the correct setting to
> x->inner_mode?
> 

Now I have no idea :-<

> I also wonder if the PF_KEY limitation really exists.  For example we
> will set x->sel.family etc. from the SADB_EXT_ADDRESS_PROXY attribute
> if present.
> 

Yes, we have SADB_EXT_ADDRESS_PROXY. But it is not enough, I think.
xfrm_selector has both src and dst so that we need some way to
specify the address is src or dst.

from RFC2367

    The SRC and DST addresses for a security association MUST be in the
    same protocol family and MUST always be present or absent together in
    a message.  The PROXY address MAY be in a different protocol family,
    and for most security protocols, represents an actual originator of a
    packet.  (For example, the inner-packets's source address in a
    tunnel.)

    The SRC address MUST be a unicast or unspecified (e.g., INADDR_ANY)
    address.  The DST address can be any valid destination address
    (unicast, multicast, or even broadcast). The PROXY address SHOULD be
    a unicast address (there are experimental security protocols where
    PROXY semantics may be different than described above).


> Finally, if the determination can be made in the data path, it
> by definition could be made during rule insertion which is much
> more efficient and appropriate.

I agree with you.

Anyway I'm considering another way.

Thank you,

--
Kazunori Miyazawa

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists