using 3des with ipsec transport mode

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: linux-crypto@vger.kernel.org
Subject: using 3des with ipsec transport mode
Date: Thu, 2 Jul 2015 15:53:00 +0200	[thread overview]
Message-ID: <20150702135300.GG22958@oracle.com> (raw)

I was trying to follow the example for IPsec transport mode at 
http://www.ipsec-howto.org/x304.html with a 4.1 kernel,
and I find that using 3des_cbc does not work - packets get dropped
at the receiver after decryption: e.g., for a ping, the decrypted 
packet has a mangled icmp header, and is dropped for a bad checksum
in icmp_rcv.

Odd thing here is that the icmp payload was never mangled
on my watch, and esp_input does correctly figure out the ULP of
the payload after decrypt, so there is some pattern to this.

Using blowfish instead of 3des works on 4.1, so I suspect the bug
is specific to the encrypt/decrypt method.

FWIW I tried the 3des instructions from ipsec-howto.org with 
2.6.39 kernels, and it still fails (but so did blowfish, so 
something got better along the way).

Has anyone else noticed this behavior for 3des?

--Sowmini

                 reply	other threads:[~2015-07-02 13:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150702135300.GG22958@oracle.com \
    --to=sowmini.varadhan@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.