lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <DD56476BFBBCB94EA5C5CCFF543EBEC99A0DEC9A@ExMbx1.iabg.de> Date: Thu, 21 Jul 2016 16:00:24 +0000 From: Pommnitz Jörg <Pommnitz@...g.de> To: Ilan Tayari <ilant@...lanox.com>, Shanker Wang <shankerwangmiao@...il.com> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: AW: IPv6 IPSec incompatibilities between 2.6.23 and 3.6.18/4.6.4 I'm tracking this down and I *think* I found it. I think it's not really an IPsec issue. Something changed between 2.6.x and 3.x regarding the handling of multicast packets. If I call "iperf -s -u -V -B ff0e::1" and those join ff0e::1, things start to work. Regards joerg > -----Ursprüngliche Nachricht----- > Von: Ilan Tayari [mailto:ilant@...lanox.com] > Gesendet: Donnerstag, 21. Juli 2016 16:41 > An: Pommnitz Jörg; Shanker Wang > Cc: netdev@...r.kernel.org > Betreff: RE: IPv6 IPSec incompatibilities between 2.6.23 and 3.6.18/4.6.4 > > > Node 1: fd01:1b10:1000::1 is running 4.6.4 > > 14:21:50.737092 IP6 fd01:1b10:1000::3 > ff0e::1: > > ESP(spi=0x00000001,seq=0x100), length 136 > > 14:21:51.737155 IP6 fd01:1b10:1000::3 > ff0e::1: > > ESP(spi=0x00000001,seq=0x101), length 136 > ... > > ip -s xfrm state > > src fd01:1b10:1000::1 dst ff0e::1 > > proto esp spi 0x00000001(1) reqid 0(0x00000000) mode tunnel > ... > > add 2016-07-21 14:18:08 use - > ... > > dir out ... > ... > > add 2016-07-21 14:18:08 use - > ... > > dir fwd ... > > add 2016-07-21 14:18:08 use - > ... > > dir in ... > > add 2016-07-21 14:18:08 use - > > Hi Joerg, > > See the "use -" instead of a date/time of last usage (like in your output > from 2.6) Packets are received, but nothing is matched to your xfrm states > and policies. > > Are you sure this is the full output of "ip -s xfrm policy"? I feel like > something is missing. > > At first glance I'd say it looks like src+dst doesn't match the packets. > Packet source-ip is ::3, while xfrm-state source ip matches::1 > > Ilan. ________________________________ Industrieanlagen-Betriebsgesellschaft mbH Sitz der Gesellschaft: Ottobrunn, Registergericht: Amtsgericht München, HRB 5499 Geschäftsführung: Prof. Dr.-Ing. Rudolf F. Schwarz Vorsitzender des Aufsichtsrats: RA Engelbert Kupka MdL a.D.
Powered by blists - more mailing lists