Question about tunnels, IPsec and redirect

From: bill4carson@gmail.com (bill4carson)
To: kernelnewbies@lists.kernelnewbies.org
Subject: Question about tunnels, IPsec and redirect
Date: Sun, 29 Sep 2013 10:36:18 +0800	[thread overview]
Message-ID: <52479222.2020009@gmail.com> (raw)
In-Reply-To: <52478F29.8080704@gmail.com>

On 2013?09?29? 10:23, bill4carson wrote:
> Hi, Kevin
> 
> On 2013?09?26? 15:31, Kevin Wilson wrote:
>> Hi,
>> Of course.
>> But the (unanswered) question is:
>> when sp is non NULL and we are working with IPsec, why shoudn't we
>> send redirect in such a case ?
> 
> Apologize for replying late.
> 
> I think you probably missing what "ICMP redirect" does, if so please
> take a look at this link:
> 
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
> 
> My understanding is:
> If host is protected by gateway A using IPsec, even if a better routing for host is
> gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect),
> as IPsec policy is on gateway A only, not necessarily on gateway B.
> 
> I think this is scenario that the patch is try to describe.

There is a subtle difference with what I described above, but most the same.

Quotes from original commit log:

IPv4 IPsec tunnel gateway incorrectly sends redirect to
sender if it is onlink host when network device the IPsec tunnelled
packet is arrived is the same as the one the decapsulated packet
is sent.

The author maybe said this scenario:

     Gateway B
    /       \
   /         \
  /           \
Host ---->  Gateway A

Gateway A protects traffic from host destined to Gateway B, while as finally
Gateway A found out host better next hop should be Gateway B. So we cannot
send redirect here to Host, otherwise the traffic will be naked for Gateway B.

> 
> 
>> rgs
>> Kevin
>>
>> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson@gmail.com>   wrote:
>>> Hi Kevin
>>>
>>>
>>> On 2013?09?25? 02:52, Kevin Wilson wrote:
>>>>
>>>> Hi,
>>>> I am looking at this patch:
>>>> http://lists.openwall.net/netdev/2007/08/24/29
>>>> and I cannot understand it. Can somebody please try
>>>> to explain ?
>>>> more specifically:
>>>> Can somebody please give an example of some setup of IPsec tunnel
>>>> where the ip_rt_send_redirect() method should not be called when the
>>>> skb->sp is not NULL ?
>>>
>>>
>>> +       if (rt->rt_flags&RTCF_DOREDIRECT&&   !opt->srr&&   !skb->sp)
>>>                                                             ^^^^^^^
>>> If IPsec policy is not enabled for a specific flow that this skb matches,
>>> skb->sp is NULL.
>>>
>>>
>>>
>>>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>>>> redirect in such a case while forwarding a packet; note I am talking
>>>> about  IPv4)
>>>>
>>>> Note that the check for skb->sp was changed in recent kernels to
>>>> skb_sec_path(skb), but it is essentially the same.
>>>>
>>>>
>>>> Regards,
>>>> Kevin
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>
>>> --
>>> ?????????,??????????
>>>
>>> --bill
>>
> 

-- 
?????????,??????????

--bill