Subject: Re: IPSec: AH/ESP combination problems
To: "David S. Miller" <davem@redhat.com>
Cc: kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org
Message-ID: <OFBA809B11.11A01039-ON86256CCC.0073A2BB-86256CCC.0075F426@pok.ibm.com>
From: "Tom Lendacky" <toml@us.ibm.com>
Date: Thu, 13 Feb 2003 15:28:22 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1484
Lines: 32


After some more reading of the RFC I realized that my logic is incorrect in
regards to what I called Problem #1 and #2 and that those are not problems.
I don't believe that it is valid to have a combination of [IP][AH][ESP][IP]
for tunnel mode and that the test I used to drive that needs to be changed.

   You can enforce the ordering exactly when the xfrm templates
   are built, this ensures that any fully resolved xfrm state
   created from them have the correct ordering as well.

As for the ordering of the modes (transport then tunnel) and the ordering
of the protocols within transport mode (IPCOMP then ESP then AH) I see
where that fix can be incorporated (in parse_ipsecrequests of af_key.c).
My question is should I do any ordering of the protocols within tunnel
mode.  While the ordering within transport mode is specified in the RFCs
(2401 and 3173), tunnel mode has no such requirement that I can tell.  Any
suggestions or should the order just be how the request is received by the
pfkey interface?

Also, the general direction I am looking at for the fix is to loop through
the requests multiple times processing IPCOMP transport first, then ESP
transport, then AH transport, and then the tunnel mode protocols.

Tom


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/