lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090122085053.GA12806@gondor.apana.org.au>
Date:	Thu, 22 Jan 2009 19:50:53 +1100
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	Timo Teräs <timo.teras@....fi>
Cc:	David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] af_key: parse and send SADB_X_EXT_NAT_T_OA extension

On Thu, Jan 22, 2009 at 10:31:32AM +0200, Timo Teräs wrote:
> 
> The (quickish) look on *swans would imply that for each
> dynamic connection I would need to hand create a new connection
> entity. Could be scriptable, but then I would somehow
> need to make up connection names based on the IPs and always
> inject full config by the admin tool.

They have templates for inbound connections on servers and also
outbound connections which were used for Opportunistic Encryption.
So you can adapt these to generate connections on demand.

Also creating/destroying connections at run-time is really easy
without generating a full config at all by using ipsec whack.
 
> But if there's multiple nodes behind same public IP the xfrm
> has two (or more) choices for which xfrm state to use. The
> NAT-OA can be used as distinguishing factor. So when ip_gre
> sends out packet, the xfrm can choose the correct xfrm state.

That's precisely what you don't want to do unless you trust all
your peers equally.  The reason is that NAT-OA is not authenticated,
i.e., I can choose any address to send over as NAT-OA and there
is nothing you can do to stop me.

It was only ever intended to be used for fixing up the checksum
so you can't safely use it for making policy/routing decisions.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ