* Question about tunnels, IPsec and redirect @ 2013-09-24 18:52 Kevin Wilson 2013-09-26 7:02 ` bill4carson 0 siblings, 1 reply; 5+ messages in thread From: Kevin Wilson @ 2013-09-24 18:52 UTC (permalink / raw) To: kernelnewbies Hi, I am looking at this patch: http://lists.openwall.net/netdev/2007/08/24/29 and I cannot understand it. Can somebody please try to explain ? more specifically: Can somebody please give an example of some setup of IPsec tunnel where the ip_rt_send_redirect() method should not be called when the skb->sp is not NULL ? (in other words, why if the SKB is and IPsec SKB, we should not send a redirect in such a case while forwarding a packet; note I am talking about IPv4) Note that the check for skb->sp was changed in recent kernels to skb_sec_path(skb), but it is essentially the same. Regards, Kevin ^ permalink raw reply [flat|nested] 5+ messages in thread
* Question about tunnels, IPsec and redirect 2013-09-24 18:52 Question about tunnels, IPsec and redirect Kevin Wilson @ 2013-09-26 7:02 ` bill4carson 2013-09-26 7:31 ` Kevin Wilson 0 siblings, 1 reply; 5+ messages in thread From: bill4carson @ 2013-09-26 7:02 UTC (permalink / raw) To: kernelnewbies Hi Kevin On 2013?09?25? 02:52, Kevin Wilson wrote: > Hi, > I am looking at this patch: > http://lists.openwall.net/netdev/2007/08/24/29 > and I cannot understand it. Can somebody please try > to explain ? > more specifically: > Can somebody please give an example of some setup of IPsec tunnel > where the ip_rt_send_redirect() method should not be called when the > skb->sp is not NULL ? + if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp) ^^^^^^^ If IPsec policy is not enabled for a specific flow that this skb matches, skb->sp is NULL. > (in other words, why if the SKB is and IPsec SKB, we should not send a > redirect in such a case while forwarding a packet; note I am talking > about IPv4) > > Note that the check for skb->sp was changed in recent kernels to > skb_sec_path(skb), but it is essentially the same. > > > Regards, > Kevin > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > -- ?????????,?????????? --bill ^ permalink raw reply [flat|nested] 5+ messages in thread
* Question about tunnels, IPsec and redirect 2013-09-26 7:02 ` bill4carson @ 2013-09-26 7:31 ` Kevin Wilson 2013-09-29 2:23 ` bill4carson 0 siblings, 1 reply; 5+ messages in thread From: Kevin Wilson @ 2013-09-26 7:31 UTC (permalink / raw) To: kernelnewbies Hi, Of course. But the (unanswered) question is: when sp is non NULL and we are working with IPsec, why shoudn't we send redirect in such a case ? rgs Kevin On Thu, Sep 26, 2013 at 10:02 AM, bill4carson <bill4carson@gmail.com> wrote: > Hi Kevin > > > On 2013?09?25? 02:52, Kevin Wilson wrote: >> >> Hi, >> I am looking at this patch: >> http://lists.openwall.net/netdev/2007/08/24/29 >> and I cannot understand it. Can somebody please try >> to explain ? >> more specifically: >> Can somebody please give an example of some setup of IPsec tunnel >> where the ip_rt_send_redirect() method should not be called when the >> skb->sp is not NULL ? > > > + if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp) > ^^^^^^^ > If IPsec policy is not enabled for a specific flow that this skb matches, > skb->sp is NULL. > > > >> (in other words, why if the SKB is and IPsec SKB, we should not send a >> redirect in such a case while forwarding a packet; note I am talking >> about IPv4) >> >> Note that the check for skb->sp was changed in recent kernels to >> skb_sec_path(skb), but it is essentially the same. >> >> >> Regards, >> Kevin >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies at kernelnewbies.org >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> > > -- > ?????????,?????????? > > --bill ^ permalink raw reply [flat|nested] 5+ messages in thread
* Question about tunnels, IPsec and redirect 2013-09-26 7:31 ` Kevin Wilson @ 2013-09-29 2:23 ` bill4carson 2013-09-29 2:36 ` bill4carson 0 siblings, 1 reply; 5+ messages in thread From: bill4carson @ 2013-09-29 2:23 UTC (permalink / raw) To: kernelnewbies Hi, Kevin On 2013?09?26? 15:31, Kevin Wilson wrote: > Hi, > Of course. > But the (unanswered) question is: > when sp is non NULL and we are working with IPsec, why shoudn't we > send redirect in such a case ? Apologize for replying late. I think you probably missing what "ICMP redirect" does, if so please take a look at this link: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml My understanding is: If host is protected by gateway A using IPsec, even if a better routing for host is gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect), as IPsec policy is on gateway A only, not necessarily on gateway B. I think this is scenario that the patch is try to describe. > rgs > Kevin > > On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson@gmail.com> wrote: >> Hi Kevin >> >> >> On 2013?09?25? 02:52, Kevin Wilson wrote: >>> >>> Hi, >>> I am looking at this patch: >>> http://lists.openwall.net/netdev/2007/08/24/29 >>> and I cannot understand it. Can somebody please try >>> to explain ? >>> more specifically: >>> Can somebody please give an example of some setup of IPsec tunnel >>> where the ip_rt_send_redirect() method should not be called when the >>> skb->sp is not NULL ? >> >> >> + if (rt->rt_flags&RTCF_DOREDIRECT&& !opt->srr&& !skb->sp) >> ^^^^^^^ >> If IPsec policy is not enabled for a specific flow that this skb matches, >> skb->sp is NULL. >> >> >> >>> (in other words, why if the SKB is and IPsec SKB, we should not send a >>> redirect in such a case while forwarding a packet; note I am talking >>> about IPv4) >>> >>> Note that the check for skb->sp was changed in recent kernels to >>> skb_sec_path(skb), but it is essentially the same. >>> >>> >>> Regards, >>> Kevin >>> >>> _______________________________________________ >>> Kernelnewbies mailing list >>> Kernelnewbies at kernelnewbies.org >>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>> >> >> -- >> ?????????,?????????? >> >> --bill > -- ?????????,?????????? --bill ^ permalink raw reply [flat|nested] 5+ messages in thread
* Question about tunnels, IPsec and redirect 2013-09-29 2:23 ` bill4carson @ 2013-09-29 2:36 ` bill4carson 0 siblings, 0 replies; 5+ messages in thread From: bill4carson @ 2013-09-29 2:36 UTC (permalink / raw) To: kernelnewbies On 2013?09?29? 10:23, bill4carson wrote: > Hi, Kevin > > On 2013?09?26? 15:31, Kevin Wilson wrote: >> Hi, >> Of course. >> But the (unanswered) question is: >> when sp is non NULL and we are working with IPsec, why shoudn't we >> send redirect in such a case ? > > Apologize for replying late. > > I think you probably missing what "ICMP redirect" does, if so please > take a look at this link: > > http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml > > My understanding is: > If host is protected by gateway A using IPsec, even if a better routing for host is > gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect), > as IPsec policy is on gateway A only, not necessarily on gateway B. > > I think this is scenario that the patch is try to describe. There is a subtle difference with what I described above, but most the same. Quotes from original commit log: IPv4 IPsec tunnel gateway incorrectly sends redirect to sender if it is onlink host when network device the IPsec tunnelled packet is arrived is the same as the one the decapsulated packet is sent. The author maybe said this scenario: Gateway B / \ / \ / \ Host ----> Gateway A Gateway A protects traffic from host destined to Gateway B, while as finally Gateway A found out host better next hop should be Gateway B. So we cannot send redirect here to Host, otherwise the traffic will be naked for Gateway B. > > >> rgs >> Kevin >> >> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson@gmail.com> wrote: >>> Hi Kevin >>> >>> >>> On 2013?09?25? 02:52, Kevin Wilson wrote: >>>> >>>> Hi, >>>> I am looking at this patch: >>>> http://lists.openwall.net/netdev/2007/08/24/29 >>>> and I cannot understand it. Can somebody please try >>>> to explain ? >>>> more specifically: >>>> Can somebody please give an example of some setup of IPsec tunnel >>>> where the ip_rt_send_redirect() method should not be called when the >>>> skb->sp is not NULL ? >>> >>> >>> + if (rt->rt_flags&RTCF_DOREDIRECT&& !opt->srr&& !skb->sp) >>> ^^^^^^^ >>> If IPsec policy is not enabled for a specific flow that this skb matches, >>> skb->sp is NULL. >>> >>> >>> >>>> (in other words, why if the SKB is and IPsec SKB, we should not send a >>>> redirect in such a case while forwarding a packet; note I am talking >>>> about IPv4) >>>> >>>> Note that the check for skb->sp was changed in recent kernels to >>>> skb_sec_path(skb), but it is essentially the same. >>>> >>>> >>>> Regards, >>>> Kevin >>>> >>>> _______________________________________________ >>>> Kernelnewbies mailing list >>>> Kernelnewbies at kernelnewbies.org >>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>> >>> >>> -- >>> ?????????,?????????? >>> >>> --bill >> > -- ?????????,?????????? --bill ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-29 2:36 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-09-24 18:52 Question about tunnels, IPsec and redirect Kevin Wilson 2013-09-26 7:02 ` bill4carson 2013-09-26 7:31 ` Kevin Wilson 2013-09-29 2:23 ` bill4carson 2013-09-29 2:36 ` bill4carson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).