lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID:  <8763puwrm8.fsf@natisbad.org>
Date:	Thu, 21 Aug 2008 13:10:39 +0200
From:	arno@...isbad.org (Arnaud Ebalard)
To:	netdev@...r.kernel.org
Cc:	David Miller <davem@...emloft.net>,
	Shinta Sugimoto <shinta@....wide.ad.jp>,
	Masahide NAKAMURA <nakam@...ux-ipv6.org>,
	YOSHIFUJI Hideaki / 吉藤英明 
	<yoshfuji@...ux-ipv6.org>
Subject:  [PATCH] XFRM: MIGRATE enhancements 

Hi,

I start with the context, patch-related information follow.

XFRM supports a feature called MIGRATE, used by MIPv6 for the purpose of
IPsec SP/SA updates upon movement. It was integrated some time ago by
people of USAGI (Masahide Nakamura, Shinta Sugimoto and possibly
others). Sugimoto-san and Nakamura-san (in CC) also published a document
(IETF draft, see [1]) which specifies the original PF_KEY MIGRATE
mechanism.

Because MIGRATE was not sufficient for bootstrapping IKE negotiation in
MIPv6 context, an additional PF_KEY extension was also defined in the 
draft (SADB_X_EXT_PACKET): simply put, its main goal was to carry a
verbatim copy of the triggering packet in the ACQUIRE so that the key
manager be able to deduce some information on the addresses to use for
the negotiation. A limited version of this feature implemented for Linux
Kernel proved to be a pain to maintain and there was also additional
drawbacks. This is why I never pushed associated patches.

This convinced me to propose some *simple* improvements to MIGRATE
authors: removing SADB_X_EXT_PACKET and replacing it by something more
efficient which also solves other lacks. It is defined in a continuation
work [2] of MIGRATE mechanim ([1] is expired). The proposed changes
have been validated by Sugimoto-san and I have implemented and
maintained patches for UMIP (Usagi MIPv6 userland implementation for
Linux), racoon (IKE daemon) and Linux kernel (XFRM and PF_KEY) since
2.6.23-rc7 or so. I use it on a daily basis on my main laptop.

Simply put, the feature allows a MIPv6 Mobile Node to negotiate IPsec
using IKE (bootstrapping) and then perform movements without the need
for rekeying (migration of in-kernel SP/SA (done by current kernel code)
*and* passing of required info for update of IKE-maintained
structures). Take a look at [3] for more information.

The patch attached to this email provides the missing bits between
current MIGRATE implementation and what is specified in [2]. It is
against today's net-2.6 but also applies fine on net-next-2.6 ;-)

If you have questions, do not hesitate.

Cheers,

a+

[1]: http://tools.ietf.org/html/draft-sugimoto-mip6-pfkey-migrate-04
[2]: http://tools.ietf.org/html/draft-ebalard-mext-pfkey-enhanced-migrate-00 
[3]: http://natisbad.org/MIPv6/


View attachment "XFRM-MIGRATE-enhancements.patch" of type "text/x-diff" (16452 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ