'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors

'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors

[Jiri Klimes]

Hello,

please find a patch in the attachment.
I propose the patch to allow creation of an IPsec SA shareble by more protocols (TCP, UDP, ...)

Description:

When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies
'sport' and 'dport' at the same time in selector, the following error is issued:
"sport" and "dport" are invalid with proto=ip

However using IPPROTO_IP with ports is completely legal and necessary when one
wants to share the SA on both TCP and UDP.
One of the applications requiring sharing SAs is 3GPP IMS AKA authentication.

testcase:
ip x s add src 10.0.0.10 dst 10.0.0.20 proto esp spi 0x3113 enc cipher_null ""
auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport
1234 dport 4321

Note: XFRM allows this programatically.

Could you please review the patch and apply it.

Cheers,
Jiri Klimes

PS: a bug report on this is filed in redhat's bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=497355

Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors

[David Miller]

From: "Jiri Klimes" <klimes@centrum.cz>
Date: Fri, 24 Apr 2009 13:11:34 +0200

> please find a patch in the attachment.

There is no attachment.

Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors

[Jiri Klimes]

[-- Attachment #1: Type: text/plain, Size: 495 bytes --]

______________________________________________________________
> Od: davem@davemloft.net
> Komu: klimes@centrum.cz
> CC: netdev@vger.kernel.org
> Datum: 24.04.2009 13:49
> Předmět: Re: 'ip' command should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors
>
>From: "Jiri Klimes" <klimes@centrum.cz>
>Date: Fri, 24 Apr 2009 13:11:34 +0200
>
>> please find a patch in the attachment.
>
>There is no attachment.
>

oops, sorry.
Forgot the most important.



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ip_sa.patch --]
[-- Type: text/x-patch; name="ip_sa.patch", Size: 487 bytes --]

--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -1156,6 +1156,7 @@ static int xfrm_selector_upspec_parse(struct xfrm_selector *sel,
                case IPPROTO_UDP:
                case IPPROTO_SCTP:
                case IPPROTO_DCCP:
+               case IPPROTO_IP:  /* to allow shared SA for different protocols */
                        break;
                default:
                        fprintf(stderr, "\"sport\" and \"dport\" are invalid with proto=%s\n", strxf_proto(sel->proto));