From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steffen Klassert Subject: Re: [PATCHv2 net] xfrm: Guard IPsec anti replay window against replay bitmap Date: Wed, 18 Sep 2013 13:16:46 +0200 Message-ID: <20130918111646.GQ7660@secunet.com> References: <1379402053-19653-1-git-send-email-fan.du@windriver.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: davem@davemloft.net, netdev@vger.kernel.org To: Fan Du Return-path: Received: from a.mx.secunet.com ([195.81.216.161]:58466 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751819Ab3IRLQt (ORCPT ); Wed, 18 Sep 2013 07:16:49 -0400 Content-Disposition: inline In-Reply-To: <1379402053-19653-1-git-send-email-fan.du@windriver.com> Sender: netdev-owner@vger.kernel.org List-ID: On Tue, Sep 17, 2013 at 03:14:13PM +0800, Fan Du wrote: > For legacy IPsec anti replay mechanism: > > bitmap in struct xfrm_replay_state could only provide a 32 bits > window size limit in current design, thus user level parameter > sadb_sa_replay should honor this limit, otherwise misleading > outputs("replay=244") by setkey -D will be: > > 192.168.25.2 192.168.22.2 > esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) > E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 > A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 > seq=0x00000000 replay=244 flags=0x00000000 state=mature > created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 > diff: 22(s) hard: 30(s) soft: 26(s) > last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) > current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 22 hard: 0 soft: 0 > sadb_seq=1 pid=4854 refcnt=0 > 192.168.22.2 192.168.25.2 > esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) > E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 > A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 > seq=0x00000000 replay=244 flags=0x00000000 state=mature > created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 > diff: 22(s) hard: 30(s) soft: 26(s) > last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) > current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 22 hard: 0 soft: 0 > sadb_seq=0 pid=4854 refcnt=0 > > And also, optimizing xfrm_replay_check window checking by setting the > desirable x->props.replay_window with only doing the comparison once > for all when xfrm_state is first born. > > Signed-off-by: Fan Du Applied to ipsec, thanks!