| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4C6A4C62.1010904@6wind.com> Date: Tue, 17 Aug 2010 10:46:26 +0200 From: Christophe Gouault <christophe.gouault@...nd.com> To: netdev@...r.kernel.org Subject: IPsec: Why do pfkey_getspi and xfrm_alloc_userspi call xfrm_find_acq_byseq? Dear netdev developers, I would like to understand why the pfkey_getspi and xfrm_alloc_userspi functions call xfrm_find_acq_byseq() and try to find an reuse an SA in state XFRM_STATE_ACQ with the same sequence number and destination address as the GETSPI request. As far as I understand, SAs in state XFRM_STATE_ACQ can only be created as a result of a user call to GETSPI or a kernel ACQUIRE message. - GETSPI is invoked by an application in order to create a temporary SA with a unique SPI, typically during an IKE negotiation, to create the inbound SA of the pair. No later GETSPI will be done on this SA. - An acquire message is triggered by the kernel and creates a temporary outbound SA whose SPI will be chosen by the remote IKE peer. No later GETSPI will be done on this SA. In which case can GETSPI find and reuse an SA that matches the message sequence number and destination address? A second lookup is done just after, with xfrm_find_acq (this function uses a hash table). Wouldn't this lookup find this SA too? The call to xfrm_find_acq_byseq is quite costly (the whole SAD is looked up every time GETSPI is called), so I'd like to understand what its purpose is. Thanks in advance, Christophe -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists