Re: [devel-ipsec] [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sabrina Dubroca <sd@queasysnail.net>
To: Antony Antony <antony@phenome.org>
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>,
	Antony Antony <antony.antony@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	netdev@vger.kernel.org, devel@linux-ipsec.org,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: Re: [devel-ipsec] [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out
Date: Thu, 11 Apr 2024 11:24:06 +0200	[thread overview]
Message-ID: <ZhesNtc8tdTfuvRd@hog> (raw)
In-Reply-To: <ZhbFVGc8p9u0xQcv@Antony2201.local>

2024-04-10, 18:59:00 +0200, Antony Antony wrote:
> On Wed, Apr 10, 2024 at 10:56:34AM +0200, Sabrina Dubroca wrote:
> > 2024-04-09, 19:23:04 +0200, Antony Antony wrote:
> > > Good point. I will add  {seq,seq_hi} validation. I don't think we add a for 
> > > {oseq,oseq_hi} as it might be used by strongSwan with: ESN  replay-window 1, 
> > > and migrating an SA.
> > 
> > I'm not at all familiar with that. Can you explain the problem?
> 
> strongSwan sets ESN and replay-window 1 on "out" SA. Then to migrgate, when 
> IKEv2  mobike exchange succeds, it use GETSA read {oseq,oseq_hi} and the 
> attributes, delete this SA.  Then create a new SA, with a different end 
> point, and with old SA's {oseq,oseq_hi} and other parameters(curlft..).  
> While Libreswan and Android use XFRM_MSG_MIGRATE.

Ok, thanks. But that's still an output SA. Setting {oseq,oseq_hi} on
an input SA is bogus I would think?


> > > > xfrma_policy is convenient but not all attributes are valid for all
> > > > requests. Old attributes can't be changed, but we should try to be
> > > > more strict when we introduce new attributes.
> > > 
> > > To clarify your feedback, are you suggesting the API should not permit 
> > > XFRMA_SA_DIR for methods like XFRM_MSG_DELSA, and only allow it for 
> > > XFRM_MSG_NEWSA and XFRM_MSG_UPDSA? I added XFRM_MSG_UPDSA, as it's used 
> > > equivalently to XFRM_MSG_NEWSA by *swan.
> > 
> > Not just DELSA, also all the *POLICY, ALLOCSPI, FLUSHSA, etc. NEWSA
> > and UPDSA should accept it, but I'm thinking none of the other
> > operations should. It's a property of SAs, not of other xfrm objects.
> 
> For instance, there isn't a validation for unused XFRMA_SA_EXTRA_FLAGS in 
> DELSA; if set, it's simply ignored. Similarly, if XFRMA_SA_DIR were set in 
> DELSA, it would also be disregarded. Attempting to introduce validations for 
> DELSA and other methods seems like an extensive cleanup task. Do we consider 
> this level of validation within the scope of our current patch? It feels 
> like we are going too far.

No, I wouldn't introduce validation of other attributes. It doesn't
belong in this patch(set), and I'm not sure we can add it now as it
might break userspace (I don't see why userspace would pass
XFRMA_ALG_AEAD etc on a DELSA request, but if we never rejected it,
they could).

But rejecting this new attribute from messages that don't handle it
would be good, and should be done in this patch/series.

-- 
Sabrina

next prev parent reply	other threads:[~2024-04-11  9:24 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-05 12:40 [PATCH ipsec-next v6] xfrm: Add Direction to the SA in or out Antony Antony
2024-04-05 13:31 ` Nicolas Dichtel
2024-04-05 21:56 ` Sabrina Dubroca
2024-04-06 12:36   ` [devel-ipsec] " Christian Hopps
2024-04-07  8:23   ` Antony Antony
2024-04-08 13:02     ` Sabrina Dubroca
2024-04-09 17:23       ` Antony Antony
2024-04-10  8:56         ` Sabrina Dubroca
2024-04-10 16:59           ` Antony Antony
2024-04-10 21:41             ` Christian Hopps
2024-04-11  0:58             ` Paul Wouters
2024-04-11  9:23               ` Sabrina Dubroca
2024-04-11 11:03                 ` Steffen Klassert
2024-04-11  9:24             ` Sabrina Dubroca [this message]
2024-04-11 10:36               ` Antony Antony
2024-04-11 20:14                 ` Sabrina Dubroca
2024-04-11 10:57             ` Steffen Klassert
2024-04-10  6:27       ` Nicolas Dichtel
2024-04-10  7:26         ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZhesNtc8tdTfuvRd@hog \
    --to=sd@queasysnail.net \
    --cc=antony.antony@secunet.com \
    --cc=antony@phenome.org \
    --cc=davem@davemloft.net \
    --cc=devel@linux-ipsec.org \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=nicolas.dichtel@6wind.com \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).