From: kuznet@ms2.inr.ac.ru
Message-Id: <200302171825.VAA31465@sex.inr.ac.ru>
Subject: Re: IPSec: AH/ESP combination problems
To: toml@us.ibm.com (Tom Lendacky)
Date: Mon, 17 Feb 2003 21:25:38 +0300 (MSK)
Cc: linux-kernel@vger.kernel.org, davem@redhat.com
In-Reply-To: <3E4AD852.4060300@us.ibm.com> from "Tom Lendacky" at Feb 12, 3 05:27:14 pm
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1424
Lines: 42

Hello!

> Problem #1: AH/ESP Tunnel mode input [IP-outer][AH][ESP][IP-inner]
> 
> When processing the input in xfrm4_rcv in xfrm_input.c, a check
> is made after processing the AH header to determine if the policy
> specified tunnel mode.  If tunnel mode was specified, then a
> check is made to see if the next header is an IP header.  If it
> is not an IP header then the packet is dropped.  However, if
> ESP tunnel mode has also been applied to the packet the next
> header will be the ESP header which must first be decrypted.

If you make this you want to get:

AH - IPIP - ESP - IPIP.


> Problem #2: AH/ESP Tunnel mode output [IP-outer][AH][ESP][IP-inner]
> 
> When creating the output for an AH header in ah_output of ah.c,
> a check is made to see if the policy specified tunnel mode.  If
> tunnel mode is specified, then an IPIP header is added after the AH
> header. 

The same as above.


> Problem #3: RFC 2401 order of AH and ESP headers
> 
> According to RFC 2401, if both AH and ESP headers are to be
> applied in transport mode,

It is not kernel problem and even not a problem of setkey, we allow to apply
arbitrary transformations in arbitrary order.

Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/