lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Y+8Pg5JzOBntLcWA@gondor.apana.org.au>
Date:   Fri, 17 Feb 2023 13:24:19 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Sri Sakthi <srisakthi.s@...il.com>
Cc:     steffen.klassert@...unet.com, davem@...emloft.net,
        netdev@...r.kernel.org, srisakthi.subramaniam@...hos.com,
        david.george@...hos.com, Vimal.Agrawal@...hos.com
Subject: Re: xfrm: Pass on correct AF value to xfrm_state_find

On Thu, Feb 16, 2023 at 04:01:21PM +0530, Sri Sakthi wrote:
> 
> IP compression enabled flow uses 2 xfrms, a tunnel mode SA followed by a
> transport mode SA like the sample ip x p pasted below,
> 
> src 10.171.96.0/20 dst 10.171.80.0/20
> 
> dir out priority 379519
> 
> tmpl src 2b01:7660:6:c::aab:1c7 dst 2b01:7660:6:c::aab:30
> 
> proto comp reqid 4 mode tunnel
> 
> tmpl src :: dst ::
  ^^^^^^^^^^^^^^^^^^ should be IPv4
> 
> proto esp reqid 4 mode transport

This looks like a configuration error to me.  You are first
compressing the packet, which occurs in tunnel mode, and that's
the point where your IPv4 packet becomes IPv6.  So everything
beyond this should be IPv6.

You then apply ESP to the IPv6 packet.  So the ESP SA/policy
should be v6/v6.

However, the policy selector for the ESP transform should still
be IPv4.  This is because the policy selector on a nested policy
is matched against the inner-most flow, and not one level below
(don't ask me why, it was this way before I got here :)

In your case your ESP policy selector says that it has to be IPv6,
while the inner-most flow is IPv4.  That's why it doesn't work.

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ