IPsec+SCTP+IPv6 bug (was: Re: https://bugzilla.kernel.org/show

All of lore.kernel.org
 help / color / mirror / Atom feed

* IPsec+SCTP+IPv6 bug (was: Re: https://bugzilla.kernel.org/show_bug.cgi?id=24412)
       [not found] <5229B37A.2070900@redhat.com>
@ 2013-09-06 16:56 ` Alexey Dobriyan
  2013-09-06 16:59   ` IPsec+SCTP+IPv6 bug Daniel Borkmann
  0 siblings, 1 reply; 2+ messages in thread
From: Alexey Dobriyan @ 2013-09-06 16:56 UTC (permalink / raw)
  To: Daniel Borkmann; +Cc: netdev

	[add netdev@ to CC]





My notes and recollections are below.

Bug reporter says traffic is unecnrypted which is technically a different thing,
but when I tried to reproduce absense of encryption, I couldn't even get past
established TCP connection.

IPv6 case works (worked) without IPsec (setkey -F; setkey -FP).
IPv4 case worked with IPsec.
IPv6 didn't work with IPsec.

setkey(8) setup:

	#!/usr/sbin/setkey -f
	flush;
	spdflush;
	add A B ah 0x42 -A hmac-sha256 0xKEY1;
	add B A ah 0x43 -A hmac-sha256 0xKEY2;
	add A B esp 0x44 -E blowfish-cbc 0xKEY3;
	add B A esp 0x45 -E blowfish-cbc 0xKEY4;
	spdadd A B any -P in ipsec esp/transport//require ah/transport//require;
	spdadd B A any -P in ipsec esp/transport//require ah/transport//require;

A, B -- IPv4 or IPv6 client/server addresses.
Client and server copy of the file should have matching keys and SPI numbers,
but "opposite" addresses (A <=> B).

Keys are written in hex.
IIRC setkey is picky about key lengths (they have to match exactly those of crypto algorithms).

--------------------------------------------------------------------

IPv4 reproducer:
	socat sctp-listen:3333 -
	echo plaintext | socat - sctp-connect:IP4IP4IP4IP4:3333

IPv6 reproducer:
	socat sctp6-listen:3333 -

#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <string.h>

int main(void)
{
        struct sockaddr_in6 sa6 = {};
        int fd;

        fd = socket(PF_INET6, SOCK_STREAM, 0x84);
        sa6.sin6_family = AF_INET6;
        sa6.sin6_port = htons(3333);
        inet_pton(AF_INET6, "IP6IP6IP6IP6IP6IP6", &sa6.sin6_addr);
        sa6.sin6_scope_id = 2;	/* it depends */
        connect(fd, (struct sockaddr *)&sa6, sizeof(struct sockaddr_in6));
        write(fd, "plaintext\n", strlen("plaintext\n"));
        close(fd);
        return 0;
}

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: IPsec+SCTP+IPv6 bug
  2013-09-06 16:56 ` IPsec+SCTP+IPv6 bug (was: Re: https://bugzilla.kernel.org/show_bug.cgi?id=24412) Alexey Dobriyan
@ 2013-09-06 16:59   ` Daniel Borkmann
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Borkmann @ 2013-09-06 16:59 UTC (permalink / raw)
  To: Alexey Dobriyan; +Cc: netdev

Thanks Alexey, I'll have a look.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-09-06 16:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <5229B37A.2070900@redhat.com>
2013-09-06 16:56 ` IPsec+SCTP+IPv6 bug (was: Re: https://bugzilla.kernel.org/show_bug.cgi?id=24412) Alexey Dobriyan
2013-09-06 16:59   ` IPsec+SCTP+IPv6 bug Daniel Borkmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.