| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fbf86b110908150831r65622046gd22d17b86347c823@mail.gmail.com>
Date: Sat, 15 Aug 2009 18:31:41 +0300
From: Ural Erdemir <uralerdemir@...il.com>
To: netdev@...r.kernel.org
Subject: Questions about Linux kernel xfrm policy insert
We are trying to test linux IPSec and racoon IKE by using relatively
big SPDB and SADB (~4K - 16K entries). I have two specific questions
about security policy database in linux kernel.
-As i see, setkey only support adding policy to the end of the list,
by using PF_KEY socket interface how can i insert a policy to the
beginning or to a specific position in the list(by using an index or
before/after a policy entry), without flushing and reinserting all
SPD entries? i don't want to use priorty parameter for that, because i
think it may slow down policy lookup, and it will be hard to manage
priority of entries in long terms.
-According to RFC 4301: "The SPD is an ordered database. Thus, a user
or administrator MUST be able to order the entries to express a
desired access control policy." in Test 1, we have shown Linux IPSec
behavior is against this rule. Do you think is it a bug or a feature?
In my opinion, it looks like a bug on hash table for source and
destinations electors with prefix length 32.
Test scenarios are as follows:
Device Under Test: ip address: :192.168.101.1/24
DUT(192.168.101.1/24)----->(192.168.101.5/24) Host
TEST 1: Failed (src & dst in same network, selector prefix 32)
SuseDE1:~ # setkey -c
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out none;
spdadd 192.168.101.1/32 192.168.101.5/32 any -P out discard;
SuseDE1:~ # setkey -DP
192.168.101.0/24[any] 192.168.101.0/24[any] any
out prio def none
created: Aug 12 09:45:47 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1 seq=1 pid=4732
refcnt=1
192.168.101.1[any] 192.168.101.5[any] any
out prio def discard
created: Aug 12 09:45:48 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=9 seq=0 pid=4732
refcnt=1
SuseDE1:~ # ping 192.168.101.5 -I 192.168.101.1
PING 192.168.101.5 (192.168.101.5) from 192.168.101.1 : 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
.... --> Failed since second policy entry selected, not the first
matching entry in the list.
TEST 2: Passed (src & dst in different network,selector prefix 32)
spdadd 192.168.101.0/24 192.168.102.0/24 any -P out none;
spdadd 192.168.101.1/32 192.168.102.5/32 any -P out discard;
# ping->192.168.102.5 OK
TEST 3: Passed (src & dst in same network, selector prefix 24&32)
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out none;
spdadd 192.168.101.1/24 192.168.101.5/32 any -P out discard;
# ping->192.168.101.5 OK
TEST 4: Passed (src & dst in same network, using priority)
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out prio 2 none;
spdadd 192.168.101.1/32 192.168.101.5/32 any -P out prio 1 discard;
# ping->192.168.101.5 OK
Thanks...
Ural
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists