lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANrj0bZ16_QOr8Tw6Cp6Dv0dM3MzkWKfwFfb7WqT-X3QbvJ8cA@mail.gmail.com> Date: Thu, 22 Sep 2022 18:33:55 -0700 From: Benedict Wong <benedictwong@...gle.com> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: netdev@...r.kernel.org, nharold@...gle.com, lorenzo@...gle.com Subject: Re: [PATCH v2 ipsec 2/2] xfrm: Ensure policy checked for nested ESP tunnels Ahh, I've never had an IPv4 server without a NAT to test against, I'd presume this is identical there. The only comparison that I've been able to do was IPv4 UDP-encap vs IPv6 ESP. We could instead add the policy check to the ESP input path if that is the correct place. On Wed, Sep 21, 2022 at 11:27 PM Steffen Klassert <steffen.klassert@...unet.com> wrote: > > On Fri, Sep 16, 2022 at 10:44:42PM -0700, Benedict Wong wrote: > > Thanks for the response; apologies for taking a while to re-patch this > > and verify. > > > > I think this /almost/ does what we need to. I'm still seeing v6 ESP in v6 > > ESP tunnels failing; I think it's due to the fact that the IPv6 ESP > > codepath does not trigger policy checks in the receive codepath until it > > hits the socket, or changes namespace. > > Perhaps if we verify policy unconditionally in xfrmi_rcv_cb? combined > > with your change above, this should ensure IPv6 ESP also checks policies, > > and inside that clear the secpath? > > Hm, do you know why this is different to IPv4? IPv4 and IPv6 should > do the same regarding to policy checks. >
Powered by blists - more mailing lists