lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZhV5eG2pkrsX0uIV@Antony2201.local>
Date: Tue, 9 Apr 2024 19:23:04 +0200
From: Antony Antony <antony@...nome.org>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: Antony Antony <antony@...nome.org>,
	Nicolas Dichtel <nicolas.dichtel@...nd.com>,
	Antony Antony <antony.antony@...unet.com>,
	Herbert Xu <herbert@...dor.apana.org.au>, netdev@...r.kernel.org,
	devel@...ux-ipsec.org, Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	"David S. Miller" <davem@...emloft.net>
Subject: Re: [devel-ipsec] [PATCH ipsec-next v6] xfrm: Add Direction to the
 SA in or out

On Mon, Apr 08, 2024 at 03:02:31PM +0200, Sabrina Dubroca wrote:
> 2024-04-07, 10:23:21 +0200, Antony Antony wrote:
> > Hi Sabrina,
> > 
> > On Fri, Apr 05, 2024 at 11:56:00PM +0200, Sabrina Dubroca via Devel wrote:
> > > Hi Antony,
> > > 
> > > 2024-04-05, 14:40:07 +0200, Antony Antony wrote:
> > > > This patch introduces the 'dir' attribute, 'in' or 'out', to the
> > > > xfrm_state, SA, enhancing usability by delineating the scope of values
> > > > based on direction. An input SA will now exclusively encompass values
> > > > pertinent to input, effectively segregating them from output-related
> > > > values. 
> > > 
> > > But this patch isn't doing that for existing properties (I'm thinking
> > > of replay window, not sure if any others are relevant [1]). Why not?
> > 
> > Thank you for raising this point.  I thought that introducing a patch for 
> > the replay window check could stir more controversy, which might delay the 
> > acceptance of the essential 'dir' feature.
> 
> I'm not convinced it's *that* critical. People have someone managed to

Understood, but from a user's perspective, I've seen significant confusion 
around this issue. Labeling it as 'historical' and unchangeable ignores its 
real impact on usability. I feel adding "dir"  would help a lot.

> use IPsec without it for all those years. Is the intention to only
> allow setting up IPTFS SAs when this new 'dir' attribute is provided?
> If not, then this patch is not really blocking for IPTFS.

> And yes, people will sometimes make comments on patches that cause
> delays in getting the patches accepted. Some patches even end up
> getting rejected. The kernel is better thanks to that process, even if
> it can be annoying to the submitter (including me! it would be a lot
> more relaxing if my patches always just went in at v1 :)).
> 
> Nicolas, since you were objecting to the informational nature of the
> attribute in v5: would you still object to the new attribute (and not
> just limited to offload cases) if it properly restricted attributes
> that don't match the direction?
> 
> >  My primary goal at this stage is 
> > to get this basic feature  in and to convince Chris to integrate the "dir" 
> > attribute into IP-TFS. This patch has partly contributed to the delays in 
> > IP-TFS's development.
> > 
> > Given your input, I'm curious about the specific conditions you have in 
> > mind. See the attached patch.
> 
> I didn't look into details when I wrote that email. The rough idea was
> "Whatever makes the kernel do replay protection on incoming packets"
> (and if any attribute is output-only, skip those on input SAs).
> 
> > For non-ESN scenarios, the outbound SA should have a replay window set to 0?
> 
> Looks ok.
> 
> > And for ESN 1?
> 
> Why 1 and not 0?

Current implemenation does not allow 0. Though supporting 0 is higly desired 
feature and probably a hard to implement feature in xfrm code. Supporting 0 
is also a long standing argument:)

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/xfrm/xfrm_replay.c#n781

int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack)

781                         if (replay_esn->replay_window == 0) {
782                                 NL_SET_ERR_MSG(extack, "ESN replay window must be > 0");
783                                 return -EINVAL;
784                         }

> Does setting xfrm_replay_state_esn->{oseq,oseq_hi} on an input SA (and
> {seq,seq_hi} on output) make sense?

Good point. I will add  {seq,seq_hi} validation. I don't think we add a for 
{oseq,oseq_hi} as it might be used by strongSwan with: ESN  replay-window 1, 
and migrating an SA.

> And xfrm_state_update probably needs to check that the dir value
> matches?  If we get this far we know the new state had matching
> direction and properties, but maybe the old one didn't?

Yes. I will add this too.

> In XFRMA_SA_EXTRA_FLAGS, both XFRM_SA_XFLAG_DONT_ENCAP_DSCP and
> XFRM_SA_XFLAG_OSEQ_MAY_WRAP look like they're only used on output. A
> few of the flags defined with xfrm_usersa_info also seem to work only
> in one direction (XFRM_STATE_DECAP_DSCP, XFRM_STATE_NOPMTUDISC,
> XFRM_STATE_ICMP).

I'm familiar with one flag, but my knowledge on the rest is limited, still I 
believe they aren't direction-specific. If anyone has more specific insight, 
please do share. Are any of these flags or x flags direction specific?

 - XFRM_STATE_ICMP should not be allowed on "out" SA. This is good point. I 
   have seen users getting confused about this.

> > non-ESN
> > ip xfrm state add src 10.1.3.4 dst 10.1.2.3 proto esp spi 3 reqid 2  \
> > mode tunnel dir out aead 'rfc4106(gcm(aes))' \
> > 0x2222222222222222222222222222222222222222 96 if_id 11 replay-window 10
> > Error: Replay-window too big > 0 for OUT SA.
> 
> I'd probably change the string to "Replay window should not be set for
> OUT SA", that makes a bit more sense to me. "too big" implies that
> some values are valid, which isn't really the case.
>

good point. fixed in v8.

> > The current impelementation does not replay window 0 with ESN.  Even though 
> > disabling replay window with ESN is a desired feature.
> > 
> > ip xfrm state add src 10.1.3.4 dst 10.1.2.3 proto esp spi 3 reqid 2 mode 
> > tunnel dir out flag esn  aead  'rfc4106(gcm(aes))'  \
> > 0x2222222222222222222222222222222222222222 96 if_id 11 replay-window 10
> > Error: ESN replay-window too big > 1 for OUT SA.ww
> > 
> > I wonder would the attached patch get accepted quickly.
> 
> I'm more interested in getting things right if we're going to
> introduce a new bit of API. IMO a new "dir" attribute that doesn't
> fully lock down the options on an SA is worse than no attribute (as
> Nicolas said previously, it's really confusing).
> And I'm not that familiar with all the API for xfrm SAs, so the
> properties I listed above may not be everything we should lock down
> (and maybe some are wrong).
> 
> I think it would also make sense to only accept this attribute in
> xfrm_add_sa, and not for any of the other message types. Sharing

> xfrma_policy is convenient but not all attributes are valid for all
> requests. Old attributes can't be changed, but we should try to be
> more strict when we introduce new attributes.

To clarify your feedback, are you suggesting the API should not permit 
XFRMA_SA_DIR for methods like XFRM_MSG_DELSA, and only allow it for 
XFRM_MSG_NEWSA and XFRM_MSG_UPDSA? I added XFRM_MSG_UPDSA, as it's used 
equivalently to XFRM_MSG_NEWSA by *swan.

> Sorry that I didn't notice this when you posted the previous versions.

thanks your review.

-antony

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ