port bound SAs

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <netdev@...>

Date: Monday, January 26, 2009 - 3:21 pm

A few weeks ago I posted a question to the IETF IPsec group on this
topic 

I have 2 SPDs declared saying (transport mode)
10.0.0.0/24 port 23 esp
10.0.0.0/24 port 80 esp

I then initiate a connection from that Linux machine to another system
that has the same logical rules
port 23 fires up and I get an SA pair. The question is - does that SA
pair belong to port 23 or not
If I now connect using port 80 from the same Linux box to the same peer
it tries to use the SA already set up for port 23
The remote system (windows in my test case) drops the packets because it
believes that the SA is for port 23 traffic only

The small amount of feedback I got was that the SA should belong to port
23 and that Linux seems to be doing the wrong thing

I can change the problem a bit by adding require to the SPD entry. There
are several things wrong with that though

a) it should not be necessary
b) I get a lot of SAs
c) I can no longer say that the SPD is optional (that's a separate
topic, the overloading of 2 orthogonal concepts onto a single value)
d) I am still worried that it does not work correctly in all cases

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

port bound SAs, Paul Moore, (Mon Jan 26, 3:21 pm)

Re: port bound SAs, David Miller, (Tue Jan 27, 2:20 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 12:53 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 6:26 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 12:46 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 1:01 pm)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 1:17 pm)

Re: port bound SAs, Patrick McHardy, (Wed Jan 28, 2:03 pm)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 2:07 pm)

Re: port bound SAs, Patrick McHardy, (Wed Jan 28, 2:11 pm)

RE: port bound SAs, Paul Moore, (Thu Jan 29, 1:23 pm)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 2:27 pm)

Re: port bound SAs, Herbert Xu, (Fri Jan 30, 2:30 am)

xfrm selector generating IKE, Paul Moore, (Mon Feb 23, 9:31 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Mon Feb 23, 10:08 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 1:23 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 8:33 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 10:07 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 10:27 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 10:30 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 10:38 pm)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 1:05 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 1:12 pm)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 1:13 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 1:21 pm)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 1:24 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 1:29 pm)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 1:38 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 1:42 pm)

Re: port bound SAs, David Miller, (Tue Jan 27, 1:21 pm)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 1:21 pm)


linux-kernel:
KOSAKI Motohiro	[bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Faik Uygur	Re: Linux 2.6.21-rc1
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Trent Piepho	[PATCH] [POWERPC] Improve (in\|out)_beXX() asm code
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Jens Axboe	Re: [BUG] New Kernel Bugs
openbsd-misc:

port bound SAs

Online users