From: Antony Antony <antony.antony@secunet.com>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: Antony Antony <antony.antony@secunet.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
<netdev@vger.kernel.org>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Chiachang Wang <chiachangwang@google.com>,
Yan Yan <evitayan@google.com>, <devel@linux-ipsec.org>,
Simon Horman <horms@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP
Date: Mon, 2 Feb 2026 13:57:56 +0100 [thread overview]
Message-ID: <aYCfVAeKGqF7MIRq@moon.secunet.de> (raw)
In-Reply-To: <aXyV028imsUPWSyq@krikkit>
On Fri, Jan 30, 2026 at 12:28:19 +0100, Sabrina Dubroca wrote:
> 2026-01-27, 11:42:40 +0100, Antony Antony wrote:
> > The current code prevents migrating an SA from UDP encapsulation to
> > plain ESP. This is needed when moving from a NATed path to a non-NATed
> > one, for example when switching from IPv4+NAT to IPv6.
> >
> > Only copy the existing encapsulation during migration if the encap
> > attribute is explicitly provided.
>
> Are we sure nobody out there relies on this behavior (silently copying
> the existing UDP encap without having to explicitly request it in the
> MIGRATE request)? If there are, this patch would break their setup by
> clearing the encap that they expect to still be present.
Libreswan and Android are the main users of migrate method. Libreswan sets the
value in every call. I am guessing Android does that too.
Yan, would this patch cause regression in Android?
Without this fix migrating from v4 nat to v6 and no v4 nat won't work.
Also the ENCAP migrate with UDP port was broken before, 2017,
the commit 4ab47d47af20 ("xfrm: extend MIGRATE with UDP encapsulation port") ?
So likely it was never used by older code and PF_KEY.
For the new methed strongSwan wants to support migrating from UDP encap
to no UDP encap.
regards
-antony
PS : Steffen advised not to Fixes tag.
next prev parent reply other threads:[~2026-02-02 12:58 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 10:41 [PATCH ipsec-next v5 0/8] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 1/8] xfrm: add missing __rcu annotation to nlsk Antony Antony
2026-02-26 17:07 ` Sabrina Dubroca
2026-03-05 7:46 ` [devel-ipsec] " Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 2/8] xfrm: remove redundant assignments Antony Antony
2026-01-27 10:42 ` [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP Antony Antony
2026-01-30 11:28 ` Sabrina Dubroca
2026-02-02 12:57 ` Antony Antony [this message]
[not found] ` <CADhJOfbkUFaPfxTBrmOnrEh2JvxPKpkxaRrSdJHZGxeoQsQTcw@mail.gmail.com>
2026-02-02 19:38 ` [devel-ipsec] " Antony Antony
2026-02-24 3:28 ` Yan Yan
2026-02-26 15:41 ` Antony Antony
2026-03-06 2:49 ` Yan Yan
2026-01-27 10:42 ` [PATCH ipsec-next v5 4/8] xfrm: rename reqid in xfrm_migrate Antony Antony
2026-01-27 10:43 ` [PATCH ipsec-next v5 5/8] xfrm: split xfrm_state_migrate into create and install functions Antony Antony
2026-01-27 10:43 ` [PATCH ipsec-next v5 7/8] xfrm: add error messages to state migration Antony Antony
2026-01-30 12:14 ` Sabrina Dubroca
2026-02-26 15:43 ` [devel-ipsec] " Antony Antony
2026-02-26 16:59 ` Sabrina Dubroca
2026-03-02 14:06 ` Antony Antony
2026-01-27 10:44 ` [PATCH ipsec-next v5 8/8] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration Antony Antony
2026-02-03 21:25 ` Sabrina Dubroca
2026-02-26 15:46 ` Antony Antony
2026-02-26 18:05 ` Sabrina Dubroca
2026-03-02 14:21 ` [devel-ipsec] " Antony Antony
2026-02-27 1:44 ` Yan Yan
2026-02-27 11:26 ` [devel-ipsec] " Sabrina Dubroca
2026-02-27 23:14 ` Yan Yan
2026-03-08 14:42 ` Antony Antony
2026-03-10 11:09 ` Sabrina Dubroca
2026-03-10 16:52 ` Antony Antony
2026-03-14 0:32 ` Yan Yan
2026-03-05 7:51 ` Antony Antony
2026-01-27 10:50 ` [PATCH ipsec-next v5 6/8] xfrm: add state synchronization after migration Antony Antony
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYCfVAeKGqF7MIRq@moon.secunet.de \
--to=antony.antony@secunet.com \
--cc=chiachangwang@google.com \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=edumazet@google.com \
--cc=evitayan@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox