currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
The problem is that the vxlan module uses the vxlan6_get_route()
function to find out the route for transmitting an IPv6 packet, which in
turn uses ip6_dst_lookup() available in ip6_output.c.
Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
so the xfrm framework cannot be used with vxlan6.
To fix the issue above, the vxlan6_get_route() function has been patched
by adding a missing call to xfrm_lookup_route(). Doing that, the
vxlan6_get_route() is now capable to lookup a route taking into account
also xfrm policies, if any.
Signed-off-by: Andrea Mayer <[email protected]>
Signed-off-by: Paolo Lungaroni <[email protected]>
---
drivers/net/vxlan.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index bf04bc2e68c2..bec55a911c4f 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2306,6 +2306,11 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
return ERR_PTR(-ENETUNREACH);
}
+ ndst = xfrm_lookup_route(vxlan->net, ndst, flowi6_to_flowi(&fl6),
+ sock6->sock->sk, 0);
+ if (IS_ERR_OR_NULL(ndst))
+ return ERR_PTR(-ENETUNREACH);
+
if (unlikely(ndst->dev == dev)) {
netdev_dbg(dev, "circular route to %pI6\n", daddr);
dst_release(ndst);
--
2.20.1
2020-01-15, 20:22:31 +0100, Andrea Mayer wrote:
> currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
> The problem is that the vxlan module uses the vxlan6_get_route()
> function to find out the route for transmitting an IPv6 packet, which in
> turn uses ip6_dst_lookup() available in ip6_output.c.
> Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
> so the xfrm framework cannot be used with vxlan6.
That's not the case anymore, since commit 6c8991f41546 ("net:
ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup").
Can you retest on the latest net tree?
Thanks.
--
Sabrina
On Wed, 15 Jan 2020 22:16:21 +0100
Sabrina Dubroca <[email protected]> wrote:
> 2020-01-15, 20:22:31 +0100, Andrea Mayer wrote:
> > currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
> > The problem is that the vxlan module uses the vxlan6_get_route()
> > function to find out the route for transmitting an IPv6 packet, which in
> > turn uses ip6_dst_lookup() available in ip6_output.c.
> > Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
> > so the xfrm framework cannot be used with vxlan6.
>
> That's not the case anymore, since commit 6c8991f41546 ("net:
> ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup").
>
> Can you retest on the latest net tree?
>
> Thanks.
>
> --
> Sabrina
>
Hi Sabrina,
thanks for sharing the fix.
Sorry, my net tree was a bit outdated. I will retest with the fix and let you know.
--
Andrea Mayer <[email protected]>
On Thu, 16 Jan 2020 14:28:39 +0100
Andrea Mayer <[email protected]> wrote:
> On Wed, 15 Jan 2020 22:16:21 +0100
> Sabrina Dubroca <[email protected]> wrote:
>
> > 2020-01-15, 20:22:31 +0100, Andrea Mayer wrote:
> > > currently IPSEC cannot be used to encrypt/decrypt IPv6 vxlan traffic.
> > > The problem is that the vxlan module uses the vxlan6_get_route()
> > > function to find out the route for transmitting an IPv6 packet, which in
> > > turn uses ip6_dst_lookup() available in ip6_output.c.
> > > Unfortunately ip6_dst_lookup() does not perform any xfrm route lookup,
> > > so the xfrm framework cannot be used with vxlan6.
> >
> > That's not the case anymore, since commit 6c8991f41546 ("net:
> > ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup").
> >
> > Can you retest on the latest net tree?
> >
> > Thanks.
> >
> > --
> > Sabrina
> >
>
> Hi Sabrina,
> thanks for sharing the fix.
> Sorry, my net tree was a bit outdated. I will retest with the fix and let you know.
>
> --
> Andrea Mayer <[email protected]>
Hi,
I've tested the new net tree in my setup and now vxlan6 and IPSec seems to work good.
Thanks.
--
Andrea Mayer <[email protected]>