From: Martin Willi <martin@strongswan.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: Re: [PATCH] xfrm: Accept ESP packets regardless of UDP encapsulation mode
Date: Thu, 18 Dec 2008 13:36:56 +0100 [thread overview]
Message-ID: <1229603816.10402.178.camel@martin> (raw)
In-Reply-To: <E1LDGgX-0007JE-T9@gondolin.me.apana.org.au>
> IKE or IKEv2 is supposed to negotiate UDP encapsulation
> explicitly. So either we did negotiate to use UDP encapsulation,
> and Strongswan ignored it (it's buggy), or we didn't and the peer
> still chose to use it (the peer is buggy).
This is just not true. UDP encapsulation is never negotiated explicitly
in IKEv2. It is enabled if the peer thinks it is might help, for example
if it detects a NAT situation. There is no way to say "use UDP
encapsulation".
> More importantly, you've failed to demonstrate why you need this
> in the first place. None of the URLs you've quoted tells us that
> the kernel needs to handle an SA switching between with encap and
> without encap without the key manager telling it to do so.
The local key manager does not know whether the peer enables UDP
encapsulation, it can't. Most likely it will in NAT situations, but it
might do so even if there is no NAT detected. And this is not a bug, it
is allowed to do so by the protocol.
> In either case it's a serious bug in the key manager. I don't see
> why we should work around such brokenness in the kernel.
>From the key manager perspective, I can enable or disable UDP
encapsulation, fine. I decide locally what I'll use for outgoing
packets. But how should I know what the peer uses? I can't, it isn't
negotiated. It is, by the standard, perfectly valid to send UDP
encapsulated packets if the peer wants to do so. And there is no need to
communicate this to the key manager, there is actually no such mechanism
in IKEv2. Therefore I need the kernel to accept packet, encapsulated or
not.
> For a start, you've introduced a bug in the ESP code as it may try
> access a non-existant UDP header and then interpret that as an
> address change which will generate bogus events to your daemon.
I agree, I've missed that (because "my" daemon uses Netlink and the
km_new_mapping event was not implemented until recently).
But this is no valid reason to drop that approach in general, it is a
side effect introduced by my specific patch. This can be fixed.
Martin
next prev parent reply other threads:[~2008-12-18 12:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-04 13:18 [PATCH] xfrm: Accept ESP packets regardless of UDP encapsulation mode Martin Willi
2008-12-04 23:40 ` David Miller
2008-12-18 3:47 ` Herbert Xu
2008-12-18 3:49 ` David Miller
2008-12-18 3:57 ` Herbert Xu
2008-12-18 4:14 ` Herbert Xu
2008-12-18 4:17 ` David Miller
2008-12-18 4:21 ` Herbert Xu
2008-12-18 10:35 ` Martin Willi
2008-12-18 11:04 ` Herbert Xu
2008-12-18 12:36 ` Martin Willi [this message]
2008-12-18 20:54 ` Herbert Xu
2008-12-19 3:23 ` David Miller
2008-12-19 10:00 ` Martin Willi
2008-12-19 10:19 ` Herbert Xu
2008-12-18 22:38 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1229603816.10402.178.camel@martin \
--to=martin@strongswan.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox