RE: port bound SAs

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Paul Moore

Date: Tuesday, January 27, 2009 - 9:53 am

my inspection of the code shows that the port numbers in the SA do not
get propagated into the right places
in transport mode linux is never aware of the port numbers 
racoon systematically zeros them out during SA setup, but even if i
correct the racoon code to put the port number in it still fails becuase
the port numbers get ignored by the kernel

-----Original Message-----
From: David Miller [mailto:davem@davemloft.net] 
Sent: Monday, January 26, 2009 10:21 PM
To: Paul Moore
Cc: netdev@vger.kernel.org
Subject: Re: port bound SAs

From: "Paul Moore" <paul.moore@centrify.com>
Date: Mon, 26 Jan 2009 11:21:33 -0800

quoted text> A few weeks ago I posted a question to the IETF IPsec group on this
> topic 
> 
> I have 2 SPDs declared saying (transport mode)
> 10.0.0.0/24 port 23 esp
> 10.0.0.0/24 port 80 esp
> 
> I then initiate a connection from that Linux machine to another system
> that has the same logical rules
> port 23 fires up and I get an SA pair. The question is - does that SA
> pair belong to port 23 or not
> If I now connect using port 80 from the same Linux box to the same
peer
quoted text> it tries to use the SA already set up for port 23
> The remote system (windows in my test case) drops the packets because
it
quoted text> believes that the SA is for port 23 traffic only

Why does the Linux system do this?  The route lookup should, as it's
final IPSEC route lookup action, do an xfrm policy lookup which should
do a selector match and thus not match the port 23 rule.

I can't find the code which would allow the sequence of events
you describe, can you?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

port bound SAs, Paul Moore, (Mon Jan 26, 12:21 pm)

Re: port bound SAs, David Miller, (Mon Jan 26, 11:20 pm)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 3:26 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 9:46 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 9:53 am)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 10:01 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 10:05 am)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 10:12 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 10:13 am)

Re: port bound SAs, David Miller, (Tue Jan 27, 10:21 am)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 10:21 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 10:21 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 10:24 am)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 10:29 am)

RE: port bound SAs, Paul Moore, (Tue Jan 27, 10:38 am)

Re: port bound SAs, Patrick McHardy, (Tue Jan 27, 10:42 am)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 10:17 am)

Re: port bound SAs, Patrick McHardy, (Wed Jan 28, 11:03 am)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 11:07 am)

Re: port bound SAs, Patrick McHardy, (Wed Jan 28, 11:11 am)

RE: port bound SAs, Paul Moore, (Wed Jan 28, 11:27 am)

RE: port bound SAs, Paul Moore, (Thu Jan 29, 10:23 am)

Re: port bound SAs, Herbert Xu, (Thu Jan 29, 11:30 pm)

xfrm selector generating IKE, Paul Moore, (Mon Feb 23, 6:31 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Mon Feb 23, 7:08 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 10:23 am)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 5:33 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 7:07 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 7:27 pm)

RE: xfrm selector generating IKE, Paul Moore, (Tue Feb 24, 7:30 pm)

Re: xfrm selector generating IKE, Herbert Xu, (Tue Feb 24, 7:38 pm)


linux-kernel:
Tony Luck	Re: Hardware Error Kernel Mini-Summit
James Bottomley	Re: [PATCH -mm 1/2] scsi: remove dma_is_consistent usage in 53c700
Andrey Borzenkov	Re: [possible regression] 2.6.22 reiserfs/libata sporadically hangs on resume from...
Linus Torvalds	Linux 2.6.26-rc6
Jeffrey V. Merkey	Re: Versioning file system
git:
Morten Welinder	Re: [PATCH] use xrealloc in help.c
Junio C Hamano	Re: [PATCH 2/3] git-add--interactive: remove hunk coalescing
Jörg Sommer	[PATCH v2 08/13] Unify the lenght of $SHORT* and the commits in the TODO list
Boyd Lynn Gerber	Re: [VOTE] git versus mercurial
Stefan Näwe	Re: [PATCH] git-gui: use --exclude-standard to check for untracked files
linux-netdev:
Andreas Sundstrom	Re: ~60k interrupts/sec for 1Gb/s iperf with r8169
David Miller	Re: [2.6.30-rc3] powerpc: compilation error of mace module
Denys Fedoryshchenko	Re: circular locking, mirred, 2.6.24.2
David Miller	Re: [PATCH -next] sfc: Use correct macro to set event bitfield
David Miller	Re: [PATCH] ipv6: fix display of local and remote sit endpoints
git-commits-head:
Linux Kernel Mailing List	V4L/DVB: tm6000: add special usb request to quit i2c tuner transfer
Linux Kernel Mailing List	OMAP: DSS2: SDI driver
Linux Kernel Mailing List	PCI: introduce pci_pcie_cap()
Linux Kernel Mailing List	m68k: amiga - Mouse platform device conversion
Linux Kernel Mailing List	drivers/acpi: use kasprintf
openbsd-misc:
frantisek holop	Re: mount ffs as msdos, system hangs
Ted Bullock	Re: Proliant DL380 G3 cannot get on network
Úlfar M. E. Johnson	installing openbsd in xen
Eric Furman	Re: Defending OpenBSD Performance
Damien Miller	Re: Patching a SSH 'Weakness'