From: "Jiri Klimes" <klimes@centrum.cz>
To: <netdev@vger.kernel.org>
Subject: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors
Date: Fri, 24 Apr 2009 13:11:34 +0200 [thread overview]
Message-ID: <200904241311.14474@centrum.cz> (raw)
In-Reply-To: <200904241310.10823@centrum.cz>
Hello,
please find a patch in the attachment.
I propose the patch to allow creation of an IPsec SA shareble by more protocols (TCP, UDP, ...)
Description:
When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies
'sport' and 'dport' at the same time in selector, the following error is issued:
"sport" and "dport" are invalid with proto=ip
However using IPPROTO_IP with ports is completely legal and necessary when one
wants to share the SA on both TCP and UDP.
One of the applications requiring sharing SAs is 3GPP IMS AKA authentication.
testcase:
ip x s add src 10.0.0.10 dst 10.0.0.20 proto esp spi 0x3113 enc cipher_null ""
auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport
1234 dport 4321
Note: XFRM allows this programatically.
Could you please review the patch and apply it.
Cheers,
Jiri Klimes
PS: a bug report on this is filed in redhat's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=497355
next parent reply other threads:[~2009-04-24 11:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200904241303.8959@centrum.cz>
[not found] ` <200904241304.13486@centrum.cz>
[not found] ` <200904241305.11036@centrum.cz>
[not found] ` <200904241306.11421@centrum.cz>
[not found] ` <200904241307.10948@centrum.cz>
[not found] ` <200904241308.31592@centrum.cz>
[not found] ` <200904241309.13171@centrum.cz>
[not found] ` <200904241310.10823@centrum.cz>
2009-04-24 11:11 ` Jiri Klimes [this message]
2009-04-24 11:49 ` 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors David Miller
2009-04-24 13:15 ` Jiri Klimes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904241311.14474@centrum.cz \
--to=klimes@centrum.cz \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).