From: Antony Antony <antony@phenome.org>
To: Michael Richardson <mcr@sandelman.ca>
Cc: antony.antony@secunet.com,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, David Ahern <dsahern@kernel.org>,
devel@linux-ipsec.org, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH net 1/1] xfrm: fix source address in icmp error generation from IPsec gateway
Date: Thu, 4 Apr 2024 14:16:33 +0200 [thread overview]
Message-ID: <Zg6aIbUV-oj4wPMq@Antony2201.local> (raw)
In-Reply-To: <28050.1712230684@obiwan.sandelman.ca>
Hi Michael,
On Thu, Apr 04, 2024 at 07:38:04AM -0400, Michael Richardson via Devel
wrote:
>
> Antony Antony via Devel <devel@linux-ipsec.org> wrote:
> > This commit would force to use source address from the gatway/host.
> > The ICMP error message source address correctly set from the host.
>
> While that seems more correct, since that host is generating, it might not
> fit into the IPsec tunnel, and therefore might go the right place or
> anywhere. Perhaps you could pick the internal IP of the gateway, but in
> more complex policies, the gateway itself might not be part of the VPN.
>
> > Again before the fix ping -W 5 -c 1 10.1.4.3 From 10.1.4.3 icmp_seq=1
> > Destination Host Unreachable
>
> > After the fix From 10.1.3.2 icmp_seq=1 Destination Host Unreachable
>
> ip -netns host2 xfrm policy add src 10.1.1.0/24 dst 10.1.4.0/24 dir out \
> flag icmp tmpl src 10.1.2.1 dst 10.1.3.2 proto esp reqid 1 mode tunnel
>
> As far as I can see, 10.1.3.2 does not fit into this policy.
Indeed, 10.1.3.2 does not match the policy. However, notice the
"flag icmp" in the above line. That means the policy lookup will use the inner
payload for policy lookup as specified in RFC 4301, Section 6, which
will match. The inner payload 10.1.4.1 <=> 10.1.4.3 will match the policy.
> You appear to be selecting the outside ("WAN") interface of the gateway.
> It would be less confusing if you had used 172.16.0.0/24 for the outside of
> the gateways in your example.
With this fix, I am leaving the source address selection of the error
response to the stack instead of unconditionally copying from the packet
that was dropped. So, in a simple case, the outgoing interface will be
the end of the tunnel, i.e., 10.1.3.2. Also that is the end point of the
tunnel.
> How will the WAN interface manage to talk to the internal sender of the
> packet except via the tunnel?
WAN is geneerating an ESP packet? In this case ESP tunnel mode with
10.1.3.2. Note: the reciver has also the icmp enabled.
-antony
next prev parent reply other threads:[~2024-04-04 12:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-04 10:29 [PATCH net 0/1] fix icmp error source with ICMP reverse lookup Antony Antony
2024-04-04 10:31 ` [PATCH net 1/1] xfrm: fix source address in icmp error generation from IPsec gateway Antony Antony
2024-04-04 11:38 ` [devel-ipsec] " Michael Richardson
2024-04-04 12:16 ` Antony Antony [this message]
2024-04-04 14:39 ` Michael Richardson
2024-04-04 15:23 ` Antony Antony
2024-04-04 15:35 ` Michael Richardson
2024-04-05 12:27 ` Antony Antony
2024-04-05 12:21 ` [devel-ipsec] " Tero Kivinen
2024-04-04 12:35 ` Tobias Brunner
2024-04-09 2:15 ` Jakub Kicinski
2024-04-10 17:48 ` 14141 Antony Antony
2024-04-11 0:49 ` 14141 Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zg6aIbUV-oj4wPMq@Antony2201.local \
--to=antony@phenome.org \
--cc=antony.antony@secunet.com \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=mcr@sandelman.ca \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).