From: Christophe Gouault <christophe.gouault@6wind.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org, Saurabh Mohan <saurabh.mohan@vyatta.com>
Subject: Re: [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support.
Date: Tue, 04 Feb 2014 12:05:06 +0100 [thread overview]
Message-ID: <52F0C962.5080804@6wind.com> (raw)
In-Reply-To: <20140130095610.GR31491@secunet.com>
On 01/30/2014 10:56 AM, Steffen Klassert wrote:
> On Wed, Jan 29, 2014 at 11:55:40AM +0100, Christophe Gouault wrote:
> [...]
>> => there is no check that the forward vti security policy was
>> enforced.
>>
>
> Yes, that's true and this is a real problem. If we want to support
> namespace transitions with vti, we can't know if a packet is going
> to be forwarded or locally received in the other namespace. This means
> that we don't know if we should enforce a input or a forward policy.
>
> All we can do here, is to enforce a input policy before we do the
> namespace transition in the receive path. The patch below (on top
> of the vti patchset) should do this.
Hi Steffen, and thank you for the patch.
I tested it within a single netns, then with cross-netns. Both work as
follows:
- all the vti SPs and SAs must be created in the "outer" netns.
- only outbound and inbound vti policies are taken into account, not
forward vti policies.
in output:
- a global SPD lookup is performed before entering the vti
interface (in the inner netns). It can be bypassed by adding a policy
such as:
ip xfrm policy add dir out mark 0 dev vti1
- then a vti SPD lookup is performed with the vti interface (in the
outer netns).
in input:
- a global inbound policy check is done (in the outer netns)
on the IPsec packet by the vti interface.
- then the packet is decrypted.
- then a vti inbound policy check is done on the decrypted packet
(in the outer netns).
- then the packet device is set to the vti interface and its netns
is changed to the inner netns.
- finally, a global inbound/forward policy check is done on the
plaintext packet (without security context), as if it has just arrived
in plaintext from the network.
> But this has the implication that forward policies do not make
> much sense in combination with vti. This is a bit contrary to
> traditional xfrm processing. But on the other hand, we receive
> plaintext packets from the vti device so we should not check
> for any IPsec processing that happened before we received the
> packets via the vti device.
Unfortunately, the inbound/forward policy checks do not take the inbound
interface into account (__xfrm_decode_session does not properly fill in
the iif field of the flowi), so in the last global policy check, there
is no way of differentiating a plaintext packet directly received from
the network from a plaintext packet that was processed by a vti interface.
Intuitively, I would like to do the same as in output: add a policy that
accepts packets received via a vti interface, and only check more
closely other packets directly received from the network.
Best Regards,
Christophe.
next prev parent reply other threads:[~2014-02-04 11:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-27 10:29 [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 01/12] xfrm4: Add IPsec protocol multiplexer Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 02/12] esp4: Use the IPsec protocol multiplexer API Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 03/12] ah4: " Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 04/12] ipcomp4: " Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 05/12] xfrm: Add xfrm_tunnel_skb_cb to the skb common buffer Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 06/12] ip_tunnel: Make vti work with i_key set Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 07/12] vti: Update the ipv4 side to use it's own receive hook Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 08/12] xfrm4: Remove xfrm_tunnel_notifier Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 09/12] vti4: Use the on xfrm_lookup returned dst_entry directly Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 10/12] vti4: Support inter address family tunneling Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 11/12] vti4: Check the tunnel endpoints of the xfrm state and the vti interface Steffen Klassert
2014-01-27 10:29 ` [PATCH RFC v3 12/12] vti4: Enable namespace changing Steffen Klassert
2014-01-28 0:35 ` [PATCH RFC v3 0/12] vti4: prepare namespace and interfamily support David Miller
2014-01-29 10:55 ` Christophe Gouault
2014-01-30 9:56 ` Steffen Klassert
2014-02-04 11:05 ` Christophe Gouault [this message]
2014-02-14 7:48 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F0C962.5080804@6wind.com \
--to=christophe.gouault@6wind.com \
--cc=netdev@vger.kernel.org \
--cc=saurabh.mohan@vyatta.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).