Netdev List
 help / color / mirror / Atom feed
From: Antony Antony <antony@phenome.org>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: Antony Antony <antony.antony@secunet.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>, David Ahern <dsahern@kernel.org>,
	Masahide NAKAMURA <nakam@linux-ipv6.org>,
	Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <skhan@linuxfoundation.org>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	selinux@vger.kernel.org, linux-doc@vger.kernel.org,
	Chiachang Wang <chiachangwang@google.com>,
	Yan Yan <evitayan@google.com>,
	devel@linux-ipsec.org
Subject: Re: [devel-ipsec] Re: [PATCH ipsec-next v8 14/14] xfrm: add documentation for XFRM_MSG_MIGRATE_STATE
Date: Tue, 26 May 2026 21:02:18 +0200	[thread overview]
Message-ID: <ahXuOr8Wz4CMcZXu@Antony2201.local> (raw)
In-Reply-To: <agHSPUBZg0tHezM-@krikkit>

On Mon, May 11, 2026 at 02:57:33PM +0200, Sabrina Dubroca wrote:
> Overall a very document, thanks. Some comments:
>
> 2026-05-05, 06:34:55 +0200, Antony Antony wrote:
> > +    struct xfrm_user_migrate_state {
> > +        struct xfrm_usersa_id  id;       /* spi, daddr, proto, family */
> > +        xfrm_address_t         new_daddr;
> > +        xfrm_address_t         new_saddr;
> > +        struct xfrm_mark       old_mark; /* SA lookup: key = v & m */
> > +        struct xfrm_selector   new_sel;  /* new selector (see Flags) */
> > +        __u32                  new_reqid;
> > +        __u32                  flags;    /* XFRM_MIGRATE_STATE_* */
> > +        __u16                  new_family;
> > +        __u16                  reserved;
> > +    };
>
> Thinking about the UAPI a bit more, maybe this would be a good time to
> start introducing a "proper" netlink API for XFRM? Instead of having
> the main properties in a fixed struct, and a few attributes as an
> afterthought, use attributes as the main way to exchange information?
>
> Then we can start adding the attributes as alternative to the fixed
> headers in some other ops, and later start deprecating the current
> API?
>
> (for some reason this thought only popped up when I had the html
> rendering in front of me, sorry it's so late in the process)

Interesting thought. However, when adding selector support I considered
this, and realized it would require introducing several new XFRMA attributes to
cover the fields currently in several fixed struct. That is a larger
change and out of scope for this series.
In general I go back forward on this.

> [...]
> > +Flags
> > +=====
> > +
> > +The ``flags`` field in ``xfrm_user_migrate_state`` controls optional
> > +migration behaviour. Unknown flag bits are ignored.
>
> Maybe better to reject unknown flag bits (as well as unknown
> attributes beyond XFRMA_MAX), so that we can fully control their
> behavior, and not risk incorrectly migrating an SA if a "too-recent"
> userspace passes attributes we don't know (then if we fail to handle
> them in the kernel, the SA may not handle the traffic).
>
> (Steffen and you will have a much better understanding of the security
> risks here than me)

Good point. Done in v9.

Unknown flag bits are now rejected with -EINVAL. The extended ACK message
reports the specific unrecognised bits, e.g.:

  "Unknown flags: 0x4"

A new UAPI constant XFRM_MIGRATE_STATE_KNOWN_FLAGS is added to
<linux/xfrm.h> so userspace can validate flags before sending:

  if (flags & ~XFRM_MIGRATE_STATE_KNOWN_FLAGS)
          /* flag not known to this kernel header version */

Note: this constant reflects the flags defined in the header userspace
was compiled against, which may differ from what the running kernel
accepts. The documentation is updated accordingly.

-migration behaviour. Unknown flag bits are ignored.
+migration behaviour. Unknown flag bits are rejected with ``-EINVAL``; the
+extended ACK message identifies the unrecognised bits (e.g. ``"Unknown flags:
+0x4"``). Userspace can use ``XFRM_MIGRATE_STATE_KNOWN_FLAGS`` (defined in
+``<linux/xfrm.h>``) to validate flags before sending; note that this constant
+reflects the flags known to the header version userspace was compiled against,
+which may differ from what the running kernel accepts.

>
>
> > +Migration Steps
> > +===============
>
> maybe add:
>
> Userspace is expected to:
>
> > +#. Install a block policy to drop traffic on the affected selector.
> > +#. Remove the old policy.
> > +#. Call ``XFRM_MSG_MIGRATE_STATE`` for each SA.
> > +#. Reinstall the policies.
> > +#. Remove the block policy.

The section is restructured in v9 into Outgoing SA and Incoming SA
subsections. The outgoing procedure is introduced with "To prevent
cleartext traffic leaks, install a block policy before migrating:"
rather than a  mandate - userspace can make an informed choice
depending on the AEAD in use. The incoming section explains that no
block policy is needed and advises being liberal in acceptance to
avoid packet loss during the migration window.

> > +
> > +Block Policy and IV Safety
> > +--------------------------
> > +
> > +Installing a block policy before migration is required to prevent
> > +traffic leaks and IV reuse in counter mode.
> > +
> > +AES-GCM IV uniqueness is critical: reusing a (key, IV) pair allows
> > +an attacker to recover the authentication subkey and forge
> > +authentication tags, breaking both confidentiality and integrity.
> > +
> > +``XFRM_MSG_MIGRATE_STATE`` atomically copies the sequence number and
> > +replay window from the old SA to the new SA and deletes the old SA.
> > +The block policy ensures no outgoing packets are sent in the migration
> > +window, preventing IV reuse under the same key.
>
> Does it matter that the copy is done atomically if we expect userspace
> to install a block policy? (without the block, I'll have to recheck to
> convince myself whether it would be safe, and TBH I'm still a bit
> confused by patch 8)

The Block Policy and IV Safety section is clarified in v9. The block
policy serves two purposes: (1) prevent cleartext traffic leaks during
the migration window, and (2) for AES-GCM, prevent IV reuse by
ensuring no outgoing packets are sent under the same key.

The atomic copy complements the block policy for outgoing — together
they eliminate both risks. For incoming SAs the atomic copy is the
primary mechanism: it ensures replay protection continues without a
gap. The block policy is not needed on the incoming side.
>
> > +Feature Detection
> > +=================
> > +
> > +Userspace can probe for kernel support by sending a minimal
> > +``XFRM_MSG_MIGRATE_STATE`` message with a non-existent SPI:
> > +
> > +- ``-ENOPROTOOPT``: not supported (``CONFIG_XFRM_MIGRATE`` not enabled)
> > +- any other error: supported
>
>
> xfrm_user_rcv_msg
>
> if (type > XFRM_MSG_MAX)
>         return -EINVAL;
>
>
> Userspace will hit that on a kernel that may have migrate but not
> XFRM_MSG_MIGRATE_STATE, no?

Good catch. Fixed in v9: three cases are now documented — -EINVAL
(kernel predates the message type), -ENOPROTOOPT (CONFIG_XFRM_MIGRATE
disabled), -ESRCH (supported). Probe uses a non-zero non-existent SPI
to avoid conflating the SPI=0 validation -EINVAL with the
type-out-of-range -EINVAL.

>
>
> [...]
> > +Error Handling
> > +==============
> > +
> > +If the target SA tuple (daddr, SPI, proto, family) is occupied by an existing
> > +unrelated SA, the operation returns ``-EEXIST``.
>
> All this happens under xfrm_cfg_mutex, so if we did an initial lookup
> for the new SA before starting the operation, we could ensure there's
> no dupe, and the mutex would guarantee no insertion. No?

Done in v9. A pre-check lookup is added before cloning when the SA
tuple changes (new daddr or new family). If the new tuple is already
occupied -EEXIST is returned while the old SA is still intact, safe
to retry. The install failure path comment is updated to reflect it
is now a safety net only.

-antony

      reply	other threads:[~2026-05-26 19:02 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-05  4:31 [PATCH ipsec-next v8 00/14] xfrm: XFRM_MSG_MIGRATE_STATE new netlink message Antony Antony
2026-05-05  4:31 ` [PATCH ipsec-next v8 01/14] xfrm: remove redundant assignments Antony Antony
2026-05-07 10:37   ` Sabrina Dubroca
2026-05-05  4:32 ` [PATCH ipsec-next v8 02/14] xfrm: add extack to xfrm_init_state Antony Antony
2026-05-07 10:37   ` Sabrina Dubroca
2026-05-05  4:32 ` [PATCH ipsec-next v8 03/14] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP Antony Antony
2026-05-07  9:26   ` Sabrina Dubroca
2026-05-05  4:32 ` [PATCH ipsec-next v8 04/14] xfrm: fix NAT-related field inheritance in SA migration Antony Antony
2026-05-07  9:33   ` Sabrina Dubroca
2026-05-07  9:56     ` Steffen Klassert
2026-05-07 10:13       ` Sabrina Dubroca
2026-05-05  4:32 ` [PATCH ipsec-next v8 05/14] xfrm: rename reqid in xfrm_migrate Antony Antony
2026-05-05  4:33 ` [PATCH ipsec-next v8 06/14] xfrm: split xfrm_state_migrate into create and install functions Antony Antony
2026-05-07 10:11   ` Sabrina Dubroca
2026-05-05  4:33 ` [PATCH ipsec-next v8 07/14] xfrm: check family before comparing addresses in migrate Antony Antony
2026-05-07 10:35   ` Sabrina Dubroca
2026-05-05  4:33 ` [PATCH ipsec-next v8 08/14] xfrm: add state synchronization after migration Antony Antony
2026-05-05  4:33 ` [PATCH ipsec-next v8 09/14] xfrm: add error messages to state migration Antony Antony
2026-05-07 12:56   ` Sabrina Dubroca
2026-05-05  4:34 ` [PATCH ipsec-next v8 10/14] xfrm: move encap and xuo into struct xfrm_migrate Antony Antony
2026-05-07 13:26   ` Sabrina Dubroca
2026-05-05  4:34 ` [PATCH ipsec-next v8 11/14] xfrm: refactor XFRMA_MTIMER_THRESH validation into a helper Antony Antony
2026-05-05  4:34 ` [PATCH ipsec-next v8 12/14] xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration Antony Antony
2026-05-07  9:12   ` Steffen Klassert
2026-05-11  9:13   ` Sabrina Dubroca
2026-05-26 19:01     ` [devel-ipsec] " Antony Antony
2026-05-05  4:34 ` [PATCH ipsec-next v8 13/14] xfrm: restrict netlink attributes for XFRM_MSG_MIGRATE_STATE Antony Antony
2026-05-05  4:34 ` [PATCH ipsec-next v8 14/14] xfrm: add documentation " Antony Antony
2026-05-11 12:57   ` Sabrina Dubroca
2026-05-26 19:02     ` Antony Antony [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ahXuOr8Wz4CMcZXu@Antony2201.local \
    --to=antony@phenome.org \
    --cc=antony.antony@secunet.com \
    --cc=chiachangwang@google.com \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=devel@linux-ipsec.org \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=evitayan@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nakam@linux-ipv6.org \
    --cc=netdev@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=pabeni@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=sd@queasysnail.net \
    --cc=selinux@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=steffen.klassert@secunet.com \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox