| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1768462955.git.antony.antony@secunet.com>
Date: Thu, 15 Jan 2026 09:03:34 +0100
From: Antony Antony <antony.antony@...unet.com>
To: Antony Antony <antony.antony@...unet.com>, Steffen Klassert
<steffen.klassert@...unet.com>, Herbert Xu <herbert@...dor.apana.org.au>,
<netdev@...r.kernel.org>
CC: "David S . Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Chiachang Wang <chiachangwang@...gle.com>, Yan Yan
<evitayan@...gle.com>, Shinta Sugimoto <shinta.sugimoto@...csson.com>,
<devel@...ux-ipsec.org>
Subject: [PATCH ipsec-next v2 0/4] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message
SA migration, and it lacks the information required to reliably migrate
individual SAs. This makes it unsuitable for IKEv2 deployments,
dual-stack setups (IPv4/IPv6), and scenarios where policies are managed
externally (e.g., by other daemons than IKE daemon).
Mandatory SA selector list
The current API requires a non-empty SA selector list, which does not
reflect IKEv2 use case.
A single Child SA may correspond to multiple policies,
and SA discovery already occurs via address and reqid matching. With
dual-stack Child SAs this leads to excessive churn: the current method
would have to be called up to six times (in/out/fwd × v4/v6) on SA,
while the new method only requires two calls. While polices are
migrated, first installing a block policy
Selectors lack SPI (and marks)
XFRM_MSG_MIGRATE cannot uniquely identify an SA when multiple SAs share
the same policies (per-CPU SAs, SELinux label-based SAs, etc.). Without
the SPI, the kernel may update the wrong SA instance.
Reqid cannot be changed
Some implementations allocate reqids based on traffic selectors. In
host-to-host or selector-changing scenarios, the reqid must change,
which the current API cannot express.
Because strongSwan and other implementations manage policies
independently of the kernel, an interface that updates only a specific
SA — with complete and unambiguous identification — is required.
XFRM_MSG_MIGRATE_STATE provides that interface. It supports migration
of a single SA via xfrm_usersa_id (including SPI) and we fix
encap removal in this patch set, reqid updates, address changes,
and other SA-specific parameters. It avoids the structural limitations
of XFRM_MSG_MIGRATE and provides a simpler, extensible mechanism for
precise per-SA migration without involving policies.
Antony Antony (4):
xfrm: remove redundant assignments
xfrm: allow migration from UDP encapsulated to non-encapsulated ESP
xfrm: rename reqid in xfrm_migrate
xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration
include/net/xfrm.h | 3 +-
include/uapi/linux/xfrm.h | 11 +++
net/key/af_key.c | 10 +--
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 37 ++++----
net/xfrm/xfrm_user.c | 164 +++++++++++++++++++++++++++++++++++-
security/selinux/nlmsgtab.c | 3 +-
7 files changed, 200 insertions(+), 32 deletions(-)
--
2.39.5
---
v1->v2: dropped 6/6. That check is already there where the func is called
- merged patch 4/6 and 5/6, to fix use uninitialized value
- fix commit messages
thanks,
-antony
Powered by blists - more mailing lists