lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJ4ZP5QhmV89K_EfF19B_wjAbOYBNj_62dZksJNCwHUAHVmGvw@mail.gmail.com>
Date:   Thu, 6 Jul 2017 12:21:56 +0530
From:   Balaji Foss <balajig.foss@...il.com>
To:     netdev@...r.kernel.org
Cc:     steffen.klassert@...unet.com, herbert@...dor.apana.org.au
Subject: Regarding xfrm state search with destination address as wildcard mask

Hi All,

Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel
version 3.16.39.
Requirement is to support IPsec encryption/authentication for ospfv3 traffic.
As of now, this can be achieved by following set of SA and SP rules.

ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport
auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport
auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode
transport auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode
transport auth "hmac(sha1)" 0x12345678123456781234567812345678

ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto
ospf priority 2147483648 tmpl  proto ah spi 0x401 mode transport level
use
ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto
ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
use


One can notice that it needs four SA rules to achieve IPsec for single
OSPF interface.
Instead of these four rules, can we have a single rule with DIP as
wild card mask and the xfrm state search as based on SPI ,family and
proto alone?

As of now, the API "__xfrm_state_lookup"  search based on
SPI,family,proto and dest_addr.  Is there any way I can achieve the SA
lookup without dest_addr and only with SPI,family and proto alone?

Any help or pointers is greatly appreciated.

Regards
Bala

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ