From: Patrick McHardy <kaber@trash.net>
To: David Miller <davem@davemloft.net>
Cc: paul.moore@centrify.com, netdev@vger.kernel.org
Subject: Re: port bound SAs
Date: Tue, 27 Jan 2009 11:26:57 +0100 [thread overview]
Message-ID: <497EE171.1030907@trash.net> (raw)
In-Reply-To: <20090126.222035.100955508.davem@davemloft.net>
David Miller wrote:
> From: "Paul Moore" <paul.moore@centrify.com>
> Date: Mon, 26 Jan 2009 11:21:33 -0800
>
>> A few weeks ago I posted a question to the IETF IPsec group on this
>> topic
>>
>> I have 2 SPDs declared saying (transport mode)
>> 10.0.0.0/24 port 23 esp
>> 10.0.0.0/24 port 80 esp
>>
>> I then initiate a connection from that Linux machine to another system
>> that has the same logical rules
>> port 23 fires up and I get an SA pair. The question is - does that SA
>> pair belong to port 23 or not
>> If I now connect using port 80 from the same Linux box to the same peer
>> it tries to use the SA already set up for port 23
>> The remote system (windows in my test case) drops the packets because it
>> believes that the SA is for port 23 traffic only
>
> Why does the Linux system do this? The route lookup should, as it's
> final IPSEC route lookup action, do an xfrm policy lookup which should
> do a selector match and thus not match the port 23 rule.
>
> I can't find the code which would allow the sequence of events
> you describe, can you?
I'm guessing that its just the policy that has the port selector set
and the keying daemon does not set it for the installed SAs. So unless
the policies specify seperate SPIs or reqids the SAs will be shared.
Paul, which keying daemon are you using?
next prev parent reply other threads:[~2009-01-27 10:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <F82446300569AC408EF6BC9E358737947EC12368@exch-one.centrify.com>
2009-01-26 19:21 ` port bound SAs Paul Moore
2009-01-27 6:20 ` David Miller
2009-01-27 10:26 ` Patrick McHardy [this message]
2009-01-27 16:46 ` Paul Moore
2009-01-27 17:01 ` Patrick McHardy
2009-01-27 17:05 ` Paul Moore
2009-01-27 17:12 ` Patrick McHardy
2009-01-27 17:13 ` Paul Moore
2009-01-27 17:21 ` David Miller
2009-01-27 17:21 ` Paul Moore
2009-01-27 17:21 ` Patrick McHardy
2009-01-27 17:24 ` Paul Moore
2009-01-27 17:29 ` Patrick McHardy
2009-01-27 17:38 ` Paul Moore
2009-01-27 17:42 ` Patrick McHardy
2009-01-28 17:17 ` Paul Moore
2009-01-28 18:03 ` Patrick McHardy
2009-01-28 18:07 ` Paul Moore
2009-01-28 18:11 ` Patrick McHardy
2009-01-28 18:27 ` Paul Moore
2009-01-30 6:30 ` Herbert Xu
2009-02-24 1:31 ` xfrm selector generating IKE Paul Moore
2009-02-24 2:08 ` Herbert Xu
2009-02-24 17:23 ` Paul Moore
2009-02-25 0:33 ` Herbert Xu
2009-02-25 2:07 ` Paul Moore
2009-02-25 2:27 ` Herbert Xu
2009-02-25 2:30 ` Paul Moore
2009-02-25 2:38 ` Herbert Xu
2009-01-29 17:23 ` port bound SAs Paul Moore
2009-01-27 16:53 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497EE171.1030907@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@centrify.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.