lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 4 Jan 2020 00:56:41 -0500
From:   Trev Larock <trev@...ock.ca>
To:     David Ahern <dsahern@...il.com>
Cc:     Trev Larock <trev@...ock.ca>, netdev@...r.kernel.org,
        Ben Greear <greearb@...delatech.com>
Subject: Re: VRF + ip xfrm, egress ESP packet looping when qdisc configured

On Thu, Jan 2, 2020 at 11:44 PM David Ahern <dsahern@...il.com> wrote:
> Ben, cc-ed, has done some IPsec + VRF work.
>
> I have not done much wth xfrm + vrf. Can you re-create this with network
> namespaces? If so, send the commands and I will take a look when I can.
>
Thanks for responding David, under namespace the same behavior is seen.
Setup for host1 was fedora31 kernel 5.3.7-301.fc31.x86_64, host2 optional

          host1 netns ns0                      |  host2
         +---------------+                     |
         |     vrf0      |                     |
         +---------------+                     |
            |                                  |
            |                                  |
         +--------+                            |
         | enp0s8 | 192.168.56.116 --------------- 192.168.56.114
         +--------+                            |
                                               |
 ip netns add ns0
 ip netns exec ns0 ip link set lo up
 ip link set dev enp0s8 netns ns0
 sysctl net.ipv4.tcp_l3mdev_accept=1
 ip netns exec ns0 sysctl net.ipv4.tcp_l3mdev_accept=1
 ip netns exec ns0 ip addr add 192.168.56.116/24 dev enp0s8
 ip netns exec ns0 ip link set enp0s8 up
 ip netns exec ns0 ip link add dev vrf0 type vrf table 300
 ip netns exec ns0 ip link set dev vrf0 up
 ip netns exec ns0 ip link set dev enp0s8 master vrf0
 ip netns exec ns0 ip xfrm policy add src 192.168.56.116/32 dst
192.168.56.114/32 dir out priority 367231 ptype main tmpl src
192.168.56.116 dst 192.168.56.114 proto esp spi 0x1234567 reqid 1 mode
tunnel
 ip netns exec ns0 ip xfrm state add src 192.168.56.116 dst
192.168.56.114 proto esp spi 0x1234567 reqid 1 mode tunnel aead
'rfc4106(gcm(aes))'
0x68db8eabd7f61557247f28f95e668f19855e086d02b21488fde4f5fcc9d42fcfbc9a2e35
128 sel src 192.168.56.116/32 dst 192.168.56.114/32

# With qdisc have the looping ESP packet in vrf0
 ip netns exec ns0 tc qdisc add dev vrf0 root netem delay 0ms
# ping to trigger policy
 ip netns exec ns0 ping -c 1 -w 1 -I vrf0 192.168.56.114
# monitor with tcpdump
 ip netns exec ns0 tcpdump -i vrf0 host 192.168.56.114

Thanks
Trev

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ