lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20101004084041.GB17939@gondor.apana.org.au> Date: Mon, 4 Oct 2010 16:40:41 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Arnaud Ebalard <arno@...isbad.org> Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <eric.dumazet@...il.com>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, netdev@...r.kernel.org Subject: Re: [PATCHv4 net-next-2.6 4/5] XFRM,IPv6: Add IRO remapping hook in xfrm_input() On Mon, Oct 04, 2010 at 08:25:23AM +0200, Arnaud Ebalard wrote: > Add a hook in xfrm_input() to allow IRO remapping to occur when > an incoming packet matching an existing SA (based on SPI) with > an unexpected destination or source address is received. > Because IRO does not consume additional bits in a packet (that's > the point), there is no way to demultiplex based on something > like nh or spi. Instead, IRO input handlers (for source and > destination address remapping) are called upon address mismatch > during IPsec processing. > For that to work, we rely on the fact that SPI values generated > locally are no more linked to destination address (first patch > of the set) and we postpone a bit the expected address check in > xfrm_input() (inside xfrm_state_lookup() against daddr param) by > introducing a call to the input_addr_check() handler from the > struct xfrm_state_afinfo associated with the address family. > > Signed-off-by: Arnaud Ebalard <arno@...isbad.org> I would prefer for this check to go into x->type->input since it does not apply to IPsec. Just because the SPI is unique for inbound SAs, it doesn't mean that we should ignore the destination IP address in the packet for IPsec. I think another way of getting what you want is to simply add inbound SAs with a zero destination address in your case which can then be made to match any destination IP address. You can then follow that up with additional checks in x->type->input. Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists