From: Herbert Xu <herbert@gondor.apana.org.au>
To: David Miller <davem@davemloft.net>
Cc: ja@ssi.bg, netdev@vger.kernel.org
Subject: Re: [PATCH net-next] ipv4: one more case for non-local saddr in ICMP
Date: Sat, 20 Aug 2011 16:20:48 +0800 [thread overview]
Message-ID: <20110820082048.GA15169@gondor.apana.org.au> (raw)
In-Reply-To: <20110819.034354.219449243171613725.davem@davemloft.net>
On Fri, Aug 19, 2011 at 03:43:54AM -0700, David Miller wrote:
> From: Julian Anastasov <ja@ssi.bg>
> Date: Mon, 15 Aug 2011 19:21:23 +0300 (EEST)
>
> >
> > May be there is one more case that we can avoid using
> > non-local source for ICMP errors: xfrm_lookup, num_xfrms = 0 when
> > reverse "Flow passes untransformed". Avoid using the input route
> > if xfrm_lookup returns same dst.
> >
> > Signed-off-by: Julian Anastasov <ja@ssi.bg>
> > ---
> >
> > In fact, should we use local IP in all cases when
> > sending ICMP? I'm asking it for the following case:
> >
> > Large packet is forwarded but is rejected with ICMP FRAG
> > NEEDED. We usually send ICMP with local saddr instead of the
> > original non-local destination. What is the role of
> > this reverse check? May be after xfrm_decode_session_reverse
> > we should use 'fl4_dec.saddr = fl4->saddr;' so that xfrm_lookup
> > works with ICMP from local IP? What is right thing to do here?
> > I don't see code that looks in the embedded header...
>
> Well.. this relookup behavior is guided by a special transform state
> XFRM_STATE_ICMP that the user must explicitly create IPSEC rules for.
>
> Presumably they are going to add real transforms to such special IPSEC
> rules, not create NOP ones with no transforms. And if they do create
> such IPSEC state with no transforms, perhaps the intention is to trigger
> to use of the non-local source.
>
> The whole thing revolves around how Herbert envisions people implementing
> RFC4301 support using this new XFRM_STATE_ICMP thing.
>
> Right?
The intention of XFRM_STATE_ICMP is to automatically allow inbound
IPsec-protected ICMP packets (remember that IPsec tunnels are not
automatically allowed, as that opens room for address spoofing).
Imagine if you have a policy P that allows IPsec packets with inner
addresses going from S to D. The purpose of this is to ensure that
ICMP packets from D to S are automatically allowed.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2011-08-20 8:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-15 16:21 [PATCH net-next] ipv4: one more case for non-local saddr in ICMP Julian Anastasov
2011-08-19 10:43 ` David Miller
2011-08-20 8:20 ` Herbert Xu [this message]
2011-08-23 6:34 ` Julian Anastasov
2011-08-23 6:46 ` Herbert Xu
2011-08-25 2:37 ` David Miller
2011-08-25 7:25 ` Julian Anastasov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110820082048.GA15169@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=davem@davemloft.net \
--cc=ja@ssi.bg \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox