lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 21 Jan 2009 11:14:04 +0200
From:	Timo Teräs <timo.teras@....fi>
To:	netdev@...r.kernel.org, Herbert Xu <herbert@...dor.apana.org.au>
CC:	David Miller <davem@...emloft.net>
Subject: NBMA GRE over IPsec behind NAT

Hi,

I sent a mail earlier about this subject, see:
http://marc.info/?l=linux-netdev&m=122232910618099&w=4

I've been thinking more about this and reading the code
trying to figure out how to fix this.

One idea for the fix would be:
1. Include the NAT Original Address in NDA_LLADDR (this way
   we don't have to modify struct neighbour)
2. Add new Neighbor Cache Entry Flag (NTF_NATOA?) to specify
   if the NAT-OA is present
3. Modify neighbor cache to cope with the new flag and address
4. Add NAT-OA field for ipv4 in struct flowi
5. ipv4/xfrm4_policy.c: __xfrm4_find_bundle() to compare NAT-OA
   if it is specified in struct flowi.
6. Possibly ipv4/xfrm4_policy.c: _decode_session4() would
   extract the NAT-OA to struct flowi from skb->dst->neighbour.

Does this sound something that might work? Would it be an
acceptable approach?

- Timo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists