From: Andreas Gruenbacher <agruen@suse.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@redhat.com>, netdev@oss.sgi.com
Subject: Re: [NAT-T] NON-IKE encapsulation
Date: Sat, 26 Jun 2004 01:30:29 +0200 [thread overview]
Message-ID: <1088206229.25933.57.camel@winden.suse.de> (raw)
In-Reply-To: <20040625215747.GA14930@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 1226 bytes --]
Hello,
On Fri, 2004-06-25 at 23:57, Herbert Xu wrote:
> On Fri, Jun 25, 2004 at 10:12:31AM -0700, David S. Miller wrote:
> >
> > I now think it's trying to account for the udpdata32[] header area.
> > But that's not 2 bytes, it's (2 * sizeof(u32)) or 8 bytes.
>
> That's what I thought too, but that is already accounted by
> x->props.header_len in init_state.
>
> In any case, just increasing alen like that is wrong. It needs to
> do at least three other things:
>
> 1. Allocate memory for it in skb_cow_data.
> 2. Fill in those bytes with data so we don't leak information.
> 3. Teach get_max_size about it.
>
> Andreas, can you please clarify for us as to what those two bytes
> are for?
Your analyses are entirely correct. The two instances of ``alen += 2''
are indeed complete nonsense. The extra 8 bytes required are already
accounted for in header_len; nothing other than the two zero-filled
words is required for this encapsulation mode.
Attached is a new version of the original patch, and a relative diff for
reference. Thanks for reviewing and for reporting. (And sorry for the
confusion; I'm a bit stressed out at the moment.)
Cheers,
--
Andreas Gruenbacher <agruen@suse.de>
SUSE Labs, SUSE LINUX AG
[-- Attachment #2: ipsec-nat-t-old --]
[-- Type: text/plain, Size: 4169 bytes --]
This adds support for the old NAT Traversal packet format described
in draft-ietf-ipsec-udp-encaps-00/01. More recent Internet Drafts
define an improved format, but some ipsec implementations still
don't support that.
Andreas Gruenbacher <agruen@suse.de>, SUSE Labs, 2004.
Index: linux-2.6.5/net/ipv4/udp.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/udp.c
+++ linux-2.6.5/net/ipv4/udp.c
@@ -975,6 +975,7 @@ static int udp_encap_rcv(struct sock * s
/* Must be an IKE packet.. pass it through */
return 1;
+ decaps:
/* At this point we are sure that this is an ESPinUDP packet,
* so we need to remove 'len' bytes from the packet (the UDP
* header and optional ESP marker bytes) and then modify the
@@ -1002,6 +1003,20 @@ static int udp_encap_rcv(struct sock * s
/* and let the caller know to send this into the ESP processor... */
return -1;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ /* Check if this is a keepalive packet. If so, eat it. */
+ if (len == 1 && udpdata[0] == 0xff) {
+ return 0;
+ } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
+ udpdata32[0] == 0 && udpdata32[1] == 0) {
+
+ /* ESP Packet with Non-IKE marker */
+ len = sizeof(struct udphdr) + 2 * sizeof(u32);
+ goto decaps;
+ } else
+ /* Must be an IKE packet.. pass it through */
+ return 1;
+
default:
if (net_ratelimit())
printk(KERN_INFO "udp_encap_rcv(): Unhandled UDP encap type: %u\n",
Index: linux-2.6.5/net/ipv4/esp4.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/esp4.c
+++ linux-2.6.5/net/ipv4/esp4.c
@@ -31,6 +31,7 @@ int esp_output(struct sk_buff *skb)
struct esp_data *esp;
struct sk_buff *trailer;
struct udphdr *uh = NULL;
+ u32 *udpdata32;
struct xfrm_encap_tmpl *encap = NULL;
int blksize;
int clen;
@@ -97,6 +98,13 @@ int esp_output(struct sk_buff *skb)
esph = (struct ip_esp_hdr*)(uh+1);
top_iph->protocol = IPPROTO_UDP;
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ uh = (struct udphdr*) esph;
+ udpdata32 = (u32*)(uh+1);
+ udpdata32[0] = udpdata32[1] = 0;
+ esph = (struct ip_esp_hdr*)(udpdata32+2);
+ top_iph->protocol = IPPROTO_UDP;
+ break;
default:
printk(KERN_INFO
"esp_output(): Unhandled encap: %u\n",
@@ -132,6 +140,13 @@ int esp_output(struct sk_buff *skb)
esph = (struct ip_esp_hdr*)(uh+1);
top_iph->protocol = IPPROTO_UDP;
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ uh = (struct udphdr*) esph;
+ udpdata32 = (u32*)(uh+1);
+ udpdata32[0] = udpdata32[1] = 0;
+ esph = (struct ip_esp_hdr*)(udpdata32+2);
+ top_iph->protocol = IPPROTO_UDP;
+ break;
default:
printk(KERN_INFO
"esp_output(): Unhandled encap: %u\n",
@@ -294,6 +309,7 @@ int esp_input(struct xfrm_state *x, stru
switch (decap->decap_type) {
case UDP_ENCAP_ESPINUDP:
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
if ((void*)uh == (void*)esph) {
printk(KERN_DEBUG
@@ -354,6 +370,7 @@ int esp_post_input(struct xfrm_state *x,
switch (encap->encap_type) {
case UDP_ENCAP_ESPINUDP:
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
/*
* 1) if the NAT-T peer's IP or port changed then
* advertize the change to the keying daemon.
@@ -534,6 +551,9 @@ int esp_init_state(struct xfrm_state *x,
case UDP_ENCAP_ESPINUDP:
x->props.header_len += sizeof(struct udphdr);
break;
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
+ x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32);
+ break;
default:
printk (KERN_INFO
"esp_init_state(): Unhandled encap type: %u\n",
Index: linux-2.6.5/include/linux/udp.h
===================================================================
--- linux-2.6.5.orig/include/linux/udp.h
+++ linux-2.6.5/include/linux/udp.h
@@ -31,6 +31,7 @@ struct udphdr {
#define UDP_ENCAP 100 /* Set the socket to accept encapsulated packets */
/* UDP encapsulation types */
+#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-06 */
#ifdef __KERNEL__
[-- Attachment #3: delta.diff --]
[-- Type: text/x-patch, Size: 674 bytes --]
Index: linux-2.6.5/net/ipv4/esp4.c
===================================================================
--- linux-2.6.5.orig/net/ipv4/esp4.c
+++ linux-2.6.5/net/ipv4/esp4.c
@@ -103,7 +103,6 @@ int esp_output(struct sk_buff *skb)
udpdata32 = (u32*)(uh+1);
udpdata32[0] = udpdata32[1] = 0;
esph = (struct ip_esp_hdr*)(udpdata32+2);
- alen += 2;
top_iph->protocol = IPPROTO_UDP;
break;
default:
@@ -146,7 +145,6 @@ int esp_output(struct sk_buff *skb)
udpdata32 = (u32*)(uh+1);
udpdata32[0] = udpdata32[1] = 0;
esph = (struct ip_esp_hdr*)(udpdata32+2);
- alen += 2;
top_iph->protocol = IPPROTO_UDP;
break;
default:
next prev parent reply other threads:[~2004-06-25 23:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-24 12:36 [NAT-T] NON-IKE encapsulation Herbert Xu
2004-06-24 19:46 ` David S. Miller
2004-06-24 21:41 ` Herbert Xu
2004-06-25 17:12 ` David S. Miller
2004-06-25 21:57 ` Herbert Xu
2004-06-25 22:09 ` David S. Miller
2004-06-25 22:13 ` Andreas Gruenbacher
2004-06-25 22:12 ` David S. Miller
2004-06-25 23:30 ` Andreas Gruenbacher [this message]
2004-06-26 0:47 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1088206229.25933.57.camel@winden.suse.de \
--to=agruen@suse.de \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).