lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YcTyNRqYdBGoEYid@nataraja>
Date:   Thu, 23 Dec 2021 23:03:33 +0100
From:   Harald Welte <laforge@...monks.org>
To:     netdev@...r.kernel.org
Subject: ip xfrm delete / deleteall not able to delete SAs

Hi all,

I'm observing some quite strange behaviour and am wondering what is going
on...

So I have a single SA in the kernel (5.14.16, iproute 5.15.0):

--------------------------------------------------
$ sudo ip xfrm state
src 6.6.6.6 dst 5.5.5.5
        proto esp spi 0x00000000 reqid 2325 mode transport
        replay-window 32 
        auth-trunc hmac(sha1)  96
        enc ecb(cipher_null) 
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 6.6.6.6/32 dst 5.5.5.5/32 sport 2222 dport 1111 
--------------------------------------------------

Then I try to delete it individually and fail

--------------------------------------------------
$ sudo ip xfrm state delete src 6.6.6.6 dst 5.5.5.5 proto esp spi 0
RTNETLINK answers: No such process
--------------------------------------------------

Then I try deleteall and it also fails

--------------------------------------------------
$ sudo ip xfrm state deleteall
Failed to send delete-all request
: No such process
--------------------------------------------------

And finally, the SA still exists:

--------------------------------------------------
$ sudo ip xfrm state
src 6.6.6.6 dst 5.5.5.5
        proto esp spi 0x00000000 reqid 2325 mode transport
        replay-window 32
        auth-trunc hmac(sha1)  96
        enc ecb(cipher_null)
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 6.6.6.6/32 dst 5.5.5.5/32 sport 2222 dport 1111
--------------------------------------------------

The SA is not removed and re-added, there is no automagic other process
running for that.  'ip xfrm monitor' doesn't show any changes at all when
the 'delete' or the 'deleteall' is running.

Flushing via 'ip xfrm state flush' works, but that is sort-of beyond the
point:  Of course I need to be able to selectively delete SAs at runtime
without flushing the entire database.

Selective deletion and deleteall of policies works as expected.  Just SAs
exhibit the strange behavior described above.

Regards,
	Harald

-- 
- Harald Welte <laforge@...monks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ