From: Andreas Gruenbacher <agruen@suse.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@redhat.com>, netdev@oss.sgi.com
Subject: Re: [NAT-T] NON-IKE encapsulation
Date: Sat, 26 Jun 2004 01:30:29 +0200 [thread overview]
Message-ID: <1088206229.25933.57.camel@winden.suse.de> (raw)
In-Reply-To: <20040625215747.GA14930@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 1226 bytes --]
Hello,
On Fri, 2004-06-25 at 23:57, Herbert Xu wrote:
> On Fri, Jun 25, 2004 at 10:12:31AM -0700, David S. Miller wrote:
> >
> > I now think it's trying to account for the udpdata32[] header area.
> > But that's not 2 bytes, it's (2 * sizeof(u32)) or 8 bytes.
>
> That's what I thought too, but that is already accounted by
> x->props.header_len in init_state.
>
> In any case, just increasing alen like that is wrong. It needs to
> do at least three other things:
>
> 1. Allocate memory for it in skb_cow_data.
> 2. Fill in those bytes with data so we don't leak information.
> 3. Teach get_max_size about it.
>
> Andreas, can you please clarify for us as to what those two bytes
> are for?
Your analyses are entirely correct. The two instances of ``alen += 2''
are indeed complete nonsense. The extra 8 bytes required are already
accounted for in header_len; nothing other than the two zero-filled
words is required for this encapsulation mode.
Attached is a new version of the original patch, and a relative diff for
reference. Thanks for reviewing and for reporting. (And sorry for the
confusion; I'm a bit stressed out at the moment.)
Cheers,
--
Andreas Gruenbacher <agruen@suse.de>
SUSE Labs, SUSE LINUX AG
[-- Attachment #2: ipsec-nat-t-old --]
[-- Type: text/plain, Size: 4169 bytes --]
This adds support for the old NAT Traversal packet format described
in draft-ietf-ipsec-udp-encaps-00/01. More recent Internet Drafts
define an improved format, but some ipsec implementations still
don't support that.
Andreas Gruenbacher <agruen@suse.de>, SUSE Labs, 2004.
Index: linux-2.6.5/net/ipv4/udp.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/udp.c
+++ linux-2.6.5/net/ipv4/udp.c
@@ -975,6 +975,7 @@ static int udp_encap_rcv(struct sock * s
/* Must be an IKE packet.. pass it through */
return 1;
+ decaps:
/* At this point we are sure that this is an ESPinUDP packet,
* so we need to remove 'len' bytes from the packet (the UDP
* header and optional ESP marker bytes) and then modify the
@@ -1002,6 +1003,20 @@ static int udp_encap_rcv(struct sock * s
/* and let the caller know to send this into the ESP processor... */
return -1;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ /* Check if this is a keepalive packet. If so, eat it. */
+ if (len == 1 && udpdata[0] == 0xff) {
+ return 0;
+ } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
+ udpdata32[0] == 0 && udpdata32[1] == 0) {
+
+ /* ESP Packet with Non-IKE marker */
+ len = sizeof(struct udphdr) + 2 * sizeof(u32);
+ goto decaps;
+ } else
+ /* Must be an IKE packet.. pass it through */
+ return 1;
+
default:
if (net_ratelimit())
printk(KERN_INFO "udp_encap_rcv(): Unhandled UDP encap type: %u\n",
Index: linux-2.6.5/net/ipv4/esp4.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/esp4.c
+++ linux-2.6.5/net/ipv4/esp4.c
@@ -31,6 +31,7 @@ int esp_output(struct sk_buff *skb)
struct esp_data *esp;
struct sk_buff *trailer;
struct udphdr *uh = NULL;
+ u32 *udpdata32;
struct xfrm_encap_tmpl *encap = NULL;
int blksize;
int clen;
@@ -97,6 +98,13 @@ int esp_output(struct sk_buff *skb)
esph = (struct ip_esp_hdr*)(uh+1);
top_iph->protocol = IPPROTO_UDP;
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ uh = (struct udphdr*) esph;
+ udpdata32 = (u32*)(uh+1);
+ udpdata32[0] = udpdata32[1] = 0;
+ esph = (struct ip_esp_hdr*)(udpdata32+2);
+ top_iph->protocol = IPPROTO_UDP;
+ break;
default:
printk(KERN_INFO
"esp_output(): Unhandled encap: %u\n",
@@ -132,6 +140,13 @@ int esp_output(struct sk_buff *skb)
esph = (struct ip_esp_hdr*)(uh+1);
top_iph->protocol = IPPROTO_UDP;
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ uh = (struct udphdr*) esph;
+ udpdata32 = (u32*)(uh+1);
+ udpdata32[0] = udpdata32[1] = 0;
+ esph = (struct ip_esp_hdr*)(udpdata32+2);
+ top_iph->protocol = IPPROTO_UDP;
+ break;
default:
printk(KERN_INFO
"esp_output(): Unhandled encap: %u\n",
@@ -294,6 +309,7 @@ int esp_input(struct xfrm_state *x, stru
switch (decap->decap_type) {
case UDP_ENCAP_ESPINUDP:
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
if ((void*)uh == (void*)esph) {
printk(KERN_DEBUG
@@ -354,6 +370,7 @@ int esp_post_input(struct xfrm_state *x,
switch (encap->encap_type) {
case UDP_ENCAP_ESPINUDP:
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
/*
* 1) if the NAT-T peer's IP or port changed then
* advertize the change to the keying daemon.
@@ -534,6 +551,9 @@ int esp_init_state(struct xfrm_state *x,
case UDP_ENCAP_ESPINUDP:
x->props.header_len += sizeof(struct udphdr);
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32);
+ break;
default:
printk (KERN_INFO
"esp_init_state(): Unhandled encap type: %u\n",
Index: linux-2.6.5/include/linux/udp.h
===================================================================
--- linux-2.6.5.orig/include/linux/udp.h
+++ linux-2.6.5/include/linux/udp.h
@@ -31,6 +31,7 @@ struct udphdr {
#define UDP_ENCAP 100 /* Set the socket to accept encapsulated packets */
/* UDP encapsulation types */
+#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-06 */
#ifdef __KERNEL__
[-- Attachment #3: delta.diff --]
[-- Type: text/x-patch, Size: 674 bytes --]
Index: linux-2.6.5/net/ipv4/esp4.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/esp4.c
+++ linux-2.6.5/net/ipv4/esp4.c
@@ -103,7 +103,6 @@ int esp_output(struct sk_buff *skb)
udpdata32 = (u32*)(uh+1);
udpdata32[0] = udpdata32[1] = 0;
esph = (struct ip_esp_hdr*)(udpdata32+2);
- alen += 2;
top_iph->protocol = IPPROTO_UDP;
break;
default:
@@ -146,7 +145,6 @@ int esp_output(struct sk_buff *skb)
udpdata32 = (u32*)(uh+1);
udpdata32[0] = udpdata32[1] = 0;
esph = (struct ip_esp_hdr*)(udpdata32+2);
- alen += 2;
top_iph->protocol = IPPROTO_UDP;
break;
default:
next prev parent reply other threads:[~2004-06-25 23:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-24 12:36 [NAT-T] NON-IKE encapsulation Herbert Xu
2004-06-24 19:46 ` David S. Miller
2004-06-24 21:41 ` Herbert Xu
2004-06-25 17:12 ` David S. Miller
2004-06-25 21:57 ` Herbert Xu
2004-06-25 22:09 ` David S. Miller
2004-06-25 22:13 ` Andreas Gruenbacher
2004-06-25 22:12 ` David S. Miller
2004-06-25 23:30 ` Andreas Gruenbacher [this message]
2004-06-26 0:47 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1088206229.25933.57.camel@winden.suse.de \
--to=agruen@suse.de \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.