| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5e8522fb-d383-c0ea-f013-8625f204c4ce@gmail.com> Date: Sun, 5 Jan 2020 21:27:34 -0700 From: David Ahern <dsahern@...il.com> To: Trev Larock <trev@...ock.ca> Cc: netdev@...r.kernel.org, Ben Greear <greearb@...delatech.com> Subject: Re: VRF + ip xfrm, egress ESP packet looping when qdisc configured On 1/3/20 10:56 PM, Trev Larock wrote: > On Thu, Jan 2, 2020 at 11:44 PM David Ahern <dsahern@...il.com> wrote: >> Ben, cc-ed, has done some IPsec + VRF work. >> >> I have not done much wth xfrm + vrf. Can you re-create this with network >> namespaces? If so, send the commands and I will take a look when I can. >> > Thanks for responding David, under namespace the same behavior is seen. > Setup for host1 was fedora31 kernel 5.3.7-301.fc31.x86_64, host2 optional > > host1 netns ns0 | host2 > +---------------+ | > | vrf0 | | > +---------------+ | > | | > | | > +--------+ | > | enp0s8 | 192.168.56.116 --------------- 192.168.56.114 > +--------+ | > | > ip netns add ns0 > ip netns exec ns0 ip link set lo up > ip link set dev enp0s8 netns ns0 > sysctl net.ipv4.tcp_l3mdev_accept=1 > ip netns exec ns0 sysctl net.ipv4.tcp_l3mdev_accept=1 > ip netns exec ns0 ip addr add 192.168.56.116/24 dev enp0s8 > ip netns exec ns0 ip link set enp0s8 up > ip netns exec ns0 ip link add dev vrf0 type vrf table 300 > ip netns exec ns0 ip link set dev vrf0 up > ip netns exec ns0 ip link set dev enp0s8 master vrf0 > ip netns exec ns0 ip xfrm policy add src 192.168.56.116/32 dst > 192.168.56.114/32 dir out priority 367231 ptype main tmpl src > 192.168.56.116 dst 192.168.56.114 proto esp spi 0x1234567 reqid 1 mode > tunnel > ip netns exec ns0 ip xfrm state add src 192.168.56.116 dst > 192.168.56.114 proto esp spi 0x1234567 reqid 1 mode tunnel aead > 'rfc4106(gcm(aes))' > 0x68db8eabd7f61557247f28f95e668f19855e086d02b21488fde4f5fcc9d42fcfbc9a2e35 > 128 sel src 192.168.56.116/32 dst 192.168.56.114/32 > > # With qdisc have the looping ESP packet in vrf0 > ip netns exec ns0 tc qdisc add dev vrf0 root netem delay 0ms > # ping to trigger policy > ip netns exec ns0 ping -c 1 -w 1 -I vrf0 192.168.56.114 > # monitor with tcpdump > ip netns exec ns0 tcpdump -i vrf0 host 192.168.56.114 > > Thanks > Trev > Hi: I meant a series of commands using *only* network namespaces for host1 and host2. e.g., ip link add veth1 type veth peer name veth2 ip link add dev vrf0 type vrf table 300 ip link set dev vrf0 up ip link set dev veth1 master vrf0 ip addr add 192.168.56.116/24 dev veth1 ip li set dev veth1 up ip netns add host2 ip netns exec host2 ip link set lo up ip link set dev veth2 netns host2 ip netns exec host2 sysctl net.ipv4.tcp_l3mdev_accept=1 ip -netns host2 addr add 192.168.56.114/24 dev veth2 ip -netns host2 link set veth2 up I was able to adapt your commands with the above and reproduced the problem. I need to think about the proper solution. Also, I looked at my commands from a few years ago (IPsec with VRF) and noticed you are not adding a device context to the xfrm policy and state. e.g., ip xfrm policy flush ip xfrm policy add src 192.168.56.0/24 dst 192.168.56.0/24 \ dev vrf0 ... ip xfrm state flush ip xfrm state add src 192.168.56.116 dst 192.168.56.114 \ ... sel dev vrf0 src 192.168.56.116 dst 192.168.56.114
Powered by blists - more mailing lists