lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A7775E@exch-one.centrify.com>
Date:	Wed, 28 Jan 2009 10:27:09 -0800
From:	"Paul Moore" <paul.moore@...trify.com>
To:	"Patrick McHardy" <kaber@...sh.net>
Cc:	"David Miller" <davem@...emloft.net>, <netdev@...r.kernel.org>
Subject: RE: port bound SAs

aha - so with racoon (which uses pfkey) I cannot make this work

This kind of seems broken - doesnt it? racoon is a very common IKE
daemon

So what IKE daemon should I be using on linux?

FYI

On solaris they do 2367 it differently (I know this because I am in the
middle of porting racoon to solaris)

the ACQUIRE message to user land has port selectors in it (linux does
not, and racoon accidentaly barfs if they are there)
the ADD and UPDATE messages from user land contain selectors and the
kernel expects them (racoon leaves them set randomly, fortunately Linux
pfkey throws them away)

This is why solaris does the right thing in terms of wire behavior. Its
selector code know about ports (using its own IKE daemon)

The simple solution is to stop the pfkey interface throwing the port
numbers away and then I can change racoon to send them (which I had to
do for solaris port)



-----Original Message-----
From: Patrick McHardy [mailto:kaber@...sh.net] 
Sent: Wednesday, January 28, 2009 10:12 AM
To: Paul Moore
Cc: David Miller; netdev@...r.kernel.org
Subject: Re: port bound SAs

Paul Moore wrote:
> So how do I get an SA with a port set on it

You don't, using pfkey. Use reqid or ip xfrm.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ