lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cover.1767964254.git.antony@moon.secunet.de>
Date: Fri, 9 Jan 2026 14:29:52 +0100
From: Antony Antony <antony.antony@...unet.com>
To: Steffen Klassert <steffen.klassert@...unet.com>, Herbert Xu
	<herbert@...dor.apana.org.au>, <netdev@...r.kernel.org>
CC: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, <devel@...ux-ipsec.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH ipsec-next 0/6] xfrm: XFRM_MSG_MIGRATE_STATE new netlink
 message


    The current XFRM_MSG_MIGRATE interface is tightly coupled to policy and
    SA migration, and it lacks the information required to reliably migrate
    individual SAs. This makes it unsuitable for IKEv2 deployments,
    dual-stack setups (IPv4/IPv6), and scenarios where policies are managed
    externally (e.g., by other daemons than IKE daemon).

    Mandatory SA selector list
    The current API requires a non-empty SA selector list, which does not
    reflect IKEv2 use case.
    A single Child SA may correspond to multiple policies,
    and SA discovery already occurs via address and reqid matching. With
    dual-stack Child SAs this leads to excessive churn: the current method
    would have to be called up to six times (in/out/fwd × v4/v6) on SA,
    while the new method only requires two calls. While polices are
    migrated, first installing a block policy

    Selectors lack SPI (and marks)
    XFRM_MSG_MIGRATE cannot uniquely identify an SA when multiple SAs share
    the same policies (per-CPU SAs, SELinux label-based SAs, etc.). Without
    the SPI, the kernel may update the wrong SA instance.

    Reqid cannot be changed
    Some implementations allocate reqids based on traffic selectors. In
    host-to-host or selector-changing scenarios, the reqid must change,
    which the current API cannot express.

    Because strongSwan and other implementations manage policies
    independently of the kernel, an interface that updates only a specific
    SA — with complete and unambiguous identification — is required.

    XFRM_MSG_MIGRATE_STATE provides that interface. It supports migration
    of a single SA via xfrm_usersa_id (including SPI) and we fix
    encap removal in this patch set, reqid updates, address changes,
    and other SA-specific parameters. It avoids the structural limitations
    of
    XFRM_MSG_MIGRATE and provides a simpler, extensible mechanism for
    precise per-SA migration without involving policies.

Antony Antony (6):
  xfrm: remove redundent assignment
  xfrm: allow migration from UDP encapsulated to non-encapsulated ESP
  xfrm: rename reqid in xfrm_migrate
  xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
  xfrm: reqid is invarient in old migration
  xfrm: check that SA is in VALID state before use

 include/net/xfrm.h          |   3 +-
 include/uapi/linux/xfrm.h   |  11 +++
 net/key/af_key.c            |  10 +--
 net/xfrm/xfrm_policy.c      |   4 +-
 net/xfrm/xfrm_state.c       |  41 ++++-----
 net/xfrm/xfrm_user.c        | 164 +++++++++++++++++++++++++++++++++++-
 security/selinux/nlmsgtab.c |   3 +-
 7 files changed, 206 insertions(+), 30 deletions(-)

--
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ