lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 21 Nov 2013 12:45:53 +0100
From:	Steffen Klassert <>
To:	Christophe Gouault <>
Cc:	Saurabh Mohan <>,
	"David S. Miller" <>,
	Herbert Xu <>,
	"" <>,
	Sergei Shtylyov <>,
	Eric Dumazet <>,
	Andrew Collins <>,
	Fan Du <>
Subject: Re: [PATCH net v3] vti: fix spd lookup: match plaintext pkt, not
 ipsec pkt

On Thu, Nov 21, 2013 at 11:07:27AM +0100, Christophe Gouault wrote:
> But you can optionally apply differentiated policies within the same
> tunnel, by setting SPs with narrower selectors: according to the
> plaintext traffic that crosses the tunnel, you can request to use
> different protocols (esp/ah), different SAs, maybe drop some traffic.

This raises the question about the MTU of a vti device. If the SA
is not unique, it is not clear which MTU we should use for that device.

> Only ipsec tunnel mode and drop policies should be bound to a VTI interface.
> And the patch restores the SP semantics: the selector is used to match
> the plaintext traffic, not the IPsec encrypted traffic.

On the other hand, I've spend quite some time to figure out how
inter address family tunneling can work with vti devices. It
seems that we need plaintext matching to get this to work.
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists