From: Christophe Gouault <christophe.gouault@6wind.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org, Saurabh Mohan <saurabh.mohan@vyatta.com>
Subject: Re: [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support.
Date: Tue, 04 Feb 2014 12:05:06 +0100 [thread overview]
Message-ID: <52F0C962.5080804@6wind.com> (raw)
In-Reply-To: <20140130095610.GR31491@secunet.com>
On 01/30/2014 10:56 AM, Steffen Klassert wrote:
> On Wed, Jan 29, 2014 at 11:55:40AM +0100, Christophe Gouault wrote:
> [...]
>> => there is no check that the forward vti security policy was
>> enforced.
>>
>
> Yes, that's true and this is a real problem. If we want to support
> namespace transitions with vti, we can't know if a packet is going
> to be forwarded or locally received in the other namespace. This means
> that we don't know if we should enforce a input or a forward policy.
>
> All we can do here, is to enforce a input policy before we do the
> namespace transition in the receive path. The patch below (on top
> of the vti patchset) should do this.
Hi Steffen, and thank you for the patch.
I tested it within a single netns, then with cross-netns. Both work as
follows:
- all the vti SPs and SAs must be created in the "outer" netns.
- only outbound and inbound vti policies are taken into account, not
forward vti policies.
in output:
- a global SPD lookup is performed before entering the vti
interface (in the inner netns). It can be bypassed by adding a policy
such as:
ip xfrm policy add dir out mark 0 dev vti1
- then a vti SPD lookup is performed with the vti interface (in the
outer netns).
in input:
- a global inbound policy check is done (in the outer netns)
on the IPsec packet by the vti interface.
- then the packet is decrypted.
- then a vti inbound policy check is done on the decrypted packet
(in the outer netns).
- then the packet device is set to the vti interface and its netns
is changed to the inner netns.
- finally, a global inbound/forward policy check is done on the
plaintext packet (without security context), as if it has just arrived
in plaintext from the network.
> But this has the implication that forward policies do not make
> much sense in combination with vti. This is a bit contrary to
> traditional xfrm processing. But on the other hand, we receive
> plaintext packets from the vti device so we should not check
> for any IPsec processing that happened before we received the
> packets via the vti device.
Unfortunately, the inbound/forward policy checks do not take the inbound
interface into account (__xfrm_decode_session does not properly fill in
the iif field of the flowi), so in the last global policy check, there
is no way of differentiating a plaintext packet directly received from
the network from a plaintext packet that was processed by a vti interface.
Intuitively, I would like to do the same as in output: add a policy that
accepts packets received via a vti interface, and only check more
closely other packets directly received from the network.
Best Regards,
Christophe.
next prev parent reply other threads:[~2014-02-04 11:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-27 10:29 [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 01/12] xfrm4: Add IPsec protocol multiplexer Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 02/12] esp4: Use the IPsec protocol multiplexer API Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 03/12] ah4: " Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 04/12] ipcomp4: " Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 05/12] xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 06/12] ip_tunnel: Make vti work with i_key set Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 07/12] vti: Update the ipv4 side to use it's own receive hook Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 08/12] xfrm4: Remove xfrm_tunnel_notifier Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 09/12] vti4: Use the on xfrm_lookup returned dst_entry directly Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 10/12] vti4: Support inter address family tunneling Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 11/12] vti4: Check the tunnel endpoints of the xfrm state and the vti interface Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 12/12] vti4: Enable namespace changing Steffen Klassert
2014-01-28 0:35 ` [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support David Miller
2014-01-29 10:55 ` Christophe Gouault
2014-01-30 9:56 ` Steffen Klassert
2014-02-04 11:05 ` Christophe Gouault [this message]
2014-02-14 7:48 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F0C962.5080804@6wind.com \
--to=christophe.gouault@6wind.com \
--cc=netdev@vger.kernel.org \
--cc=saurabh.mohan@vyatta.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.