| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c06ff911-8ffb-0f5c-5863-d48dbf1dd084@strongswan.org>
Date: Fri, 31 Mar 2023 10:19:33 +0200
From: Tobias Brunner <tobias@...ongswan.org>
To: Steffen Klassert <steffen.klassert@...unet.com>,
netdev@...r.kernel.org, devel@...ux-ipsec.org
Cc: Hyunwoo Kim <v4bel@...ori.io>,
Tudor Ambarus <tudordana@...gle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [devel-ipsec] [PATCH ipsec] xfrm: Don't allow optional
intermediate templates that changes the address family
> When an optional intermediate template changes the address family,
> it is unclear which family the next template should have. This can
> lead to misinterpretations of IPv4/IPv6 addresses. So reject
> optional intermediate templates on insertion time.
This change breaks the installation of IPv4-in-IPv6 (or vice-versa)
policies with IPComp, where the optional IPComp template and SA is
installed with tunnel mode (while the ESP template/SA that follows is
installed in transport mode) and the address family is that of the SA
not that of the policy.
Note that mixed-family scenarios with IPComp are currently broken due to
an address family issue, but that's a problem in xfrm_tmpl_resolve_one()
that occurs later when packets are actually matched against policies.
There is a simple patch for it that I haven't got around to submit to
the list yet.
Regards,
Tobias
Powered by blists - more mailing lists