lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <832758992.1917907.1516905042529@mail.libero.it>
Date:   Thu, 25 Jan 2018 19:30:42 +0100 (CET)
From:   Marco Berizzi <pupilla@...ero.it>
To:     netdev@...r.kernel.org
Subject: Re: esp spi incorrectly reported by ip -s x p

> Hello everyone,
> 
> I'm running strongSwan 5.6.1 on linux-4.14.x (slackware 14.2 64bit)
> with iproute 4.14.1

Hello everyone again,
I have also git cloned the current iproute2, but same behavior. Linux version is 4.14.2
 
> When I issue 'ip -x s p', I get this output:
> 
> src 10.180.0.0/16 dst 10.81.110.10/32 uid 0
>  dir out action allow index 137 priority 375423 share any flag (0x00000000)
>  lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 0(sec), hard 0(sec)
>  expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>  0(bytes), 0(packets)
>  add 2018-01-19 17:43:50 use 2018-01-19 17:47:25
>  tmpl src 10.81.110.254 dst 10.81.110.10
>  proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel
>  level required share any
>  enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.81.110.10/32 dst 10.180.0.0/16 uid 0
>  dir fwd action allow index 154 priority 375423 share any flag (0x00000000)
>  lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 0(sec), hard 0(sec)
>  expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>  0(bytes), 0(packets)
>  add 2018-01-19 17:43:50 use -
>  tmpl src 10.81.110.10 dst 10.81.110.254
>  proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel
>  level required share any
>  enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.81.110.10/32 dst 10.180.0.0/16 uid 0
>  dir in action allow index 144 priority 375423 share any flag (0x00000000)
>  lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 0(sec), hard 0(sec)
>  expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>  0(bytes), 0(packets)
>  add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
>  tmpl src 10.81.110.10 dst 10.81.110.254
>  proto esp spi 0x00000000(0) reqid 4(0x00000004) mode tunnel
>  level required share any
>  enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> 
> As you may see, the esp security parameter index is correctly reported
> for the first policy, but is 0x00000000 for the other two entries.
> The output from strongSwan 'ipsec statusall' instead show them correctly:
> 
> INSTALLED, TUNNEL, reqid 4, ESP SPIs: c16fd9e3_i 500e0603_o
> 3DES_CBC/HMAC_MD5_96/MODP_1024, 11180 bytes_i (215 pkts, 245s ago), 596700 bytes_o (459 pkts, 29s ago)
> 10.180.0.0/16 === 10.81.110.10/32
> 
> Also the output from 'ip -s x s' is reporting correctly the esp spi value:
> 
> src 10.81.110.254 dst 10.81.110.10
>  proto esp spi 0x500e0603(1343096323) reqid 4(0x00000004) mode tunnel
>  replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>  auth-trunc hmac(md5) 0x5b029bb432e892780c4d28a2c4f4253d (128 bits) 96
>  enc cbc(des3_ede) 0x01cf85a8cc981a3abe5ae9173bd45abbeedfd8d80f176fe9 (192 bits)
>  anti-replay context: seq 0x0, oseq 0x1cb, bitmap 0x00000000
>  lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 4147(sec), hard 4800(sec)
>  expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>  596700(bytes), 459(packets)
>  add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
>  stats:
>  replay-window 0 replay 0 failed 0
> src 10.81.110.10 dst 10.81.110.254
>  proto esp spi 0xc16fd9e3(3245332963) reqid 4(0x00000004) mode tunnel
>  replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>  auth-trunc hmac(md5) 0x2354ae62bc484d3c3d9e13c9bae1fd66 (128 bits) 96
>  enc cbc(des3_ede) 0x15fcba9ac7f78e9126b2394db6e7619ebe4bc27ace4d1603 (192 bits)
>  anti-replay context: seq 0xda, oseq 0x0, bitmap 0xffffffff
>  lifetime config:
>  limit: soft (INF)(bytes), hard (INF)(bytes)
>  limit: soft (INF)(packets), hard (INF)(packets)
>  expire add: soft 3968(sec), hard 4800(sec)
>  expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>  11180(bytes), 215(packets)
>  add 2018-01-19 17:43:50 use 2018-01-19 17:43:50
>  stats:
>  replay-window 0 replay 0 failed 0
> 
> Kindly, I would like to ask if this is the expected behaviour.
> 
> Thanks in advance
> 
> Marco Berizzi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ