Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp413530pxy;
        Wed, 5 May 2021 05:27:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwp9+VlAMfjR/maIOAF0VyPXl1mM/OzUQ4WqecNeGHfTgfU35d0gKDdmzLANhv+RuxugJ1J
X-Received: by 2002:a17:907:1b06:: with SMTP id mp6mr27611858ejc.292.1620217628449;
        Wed, 05 May 2021 05:27:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620217628; cv=none;
        d=google.com; s=arc-20160816;
        b=vKAAd8plAxqUsrRDE24VTnfCoBtJKG3h1nj5UUDVr+Q+MdH070ZzlTW8otT9SDcNWn
         H0c1gbUZ7ANezhW2YSWx29ZEpG4z8eUkdF7XuJKLVz+ykG37eoCnMWTEU51tcxV67OdM
         tOw4VC6ekYyONg8/KR+NL5SXpsyM8ueq7GMtPPAGQc3J00wLlDBdx2KfI5cnVmk45l/r
         fz72uR8KKsxILobbE1dp/3e2+EGlrw2F0efbV/b3BfQy+duGiMxZc4g2Xg0DKcnO5J3/
         2DO7HeFTqjiJKWxNEqFD1oRhkDLdENMDNJcbvl/aJVF3wuuYS+5kzA6W9ndZx5g8CW6u
         QyXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:message-id
         :in-reply-to:subject:cc:to:from:date;
        bh=HUHNjcya/aCGYHEZ5CteQSBAVR7jnqZjDiN82ZEPbuY=;
        b=tjViLUhtrh7PIfU7OnLVCW9usFnk1MHY/FXqW0r4tM1MywhNThuy16KOnFWP78vw4Z
         eC1cxEZzGLwS2U2ANgEkrWjIPWxgOuT3RCqEOxMO0pp5MpfL9JC2ZW8R+SVqAn/+1G+W
         6q3Z9A5We2GAw6b1IkzGPdpxiRw7SsC4hGPOEBzTAjG8LUOTY7crnzyxf/Ic8bRTBQFO
         hi5b4dAvs29wq2X654cEZp7wtw7CBWnrtuL999cbWoR0DM2R0boqDpPw8+hOHN1z5j+R
         7rSA7midvi8kxcXJgnmIH+gls8PTidhEtvqtlUQlENAkS/nC7zzBGgOR7exxZgOtEm8d
         /2Bg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g17si6316967ejr.16.2021.05.05.05.26.42;
        Wed, 05 May 2021 05:27:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233287AbhEEM0P (ORCPT <rfc822;liyi.pear@gmail.com> + 99 others);
        Wed, 5 May 2021 08:26:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38316 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233282AbhEEM0M (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 May 2021 08:26:12 -0400
X-Greylist: delayed 494 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 05 May 2021 05:25:14 PDT
Received: from a3.inai.de (a3.inai.de [IPv6:2a01:4f8:10b:45d8::f5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEE66C061574;
        Wed,  5 May 2021 05:25:14 -0700 (PDT)
Received: by a3.inai.de (Postfix, from userid 25121)
        id 81D42588A36D9; Wed,  5 May 2021 14:16:57 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
        by a3.inai.de (Postfix) with ESMTP id 765B06167A36C;
        Wed,  5 May 2021 14:16:57 +0200 (CEST)
Date:   Wed, 5 May 2021 14:16:57 +0200 (CEST)
From:   Jan Engelhardt <jengelh@inai.de>
To:     Florian Westphal <fw@strlen.de>
cc:     Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>,
        pablo@netfilter.org, kadlec@netfilter.org, davem@davemloft.net,
        kuba@kernel.org, linux-kernel@vger.kernel.org,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: nf_conntrack: Add conntrack helper for
 ESP/IPsec
In-Reply-To: <20210414154021.GE14932@breakpoint.cc>
Message-ID: <pq161666-47s-p680-552o-58poo05onr86@vanv.qr>
References: <20210414035327.31018-1-Cole.Dishington@alliedtelesis.co.nz> <20210414154021.GE14932@breakpoint.cc>
User-Agent: Alpine 2.24 (LSU 510 2020-10-10)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On Wednesday 2021-04-14 17:40, Florian Westphal wrote:
>
>Preface: AFAIU this tracker aims to 'soft-splice' two independent ESP
>connections, i.e.: saddr:spi1 -> daddr, daddr:spi2 <- saddr. [...] This can't
>be done as-is, because we don't know spi2 at the time the first ESP packet is
>received. The solution implemented here is introduction of a 'virtual esp id',
>computed when first ESP packet is received,[...]

I can't imagine this working reliably.

1. The IKE daemons could do an exchange whereby just one ESP flow is set up (from
daddr to saddr). It's unusual to do a one-way tunnel, but it's a possibility.
Then you only ever have ESP packets going from daddr to saddr.

2. Even if the IKE daemons set up what we would consider a normal tunnel,
i.e. one ESP flow per direction, there is no obligation that saddr has to
send anything. daddr could be contacting saddr solely with a protocol
that is both connectionless at L4 and which does not demand any L7 responses
either. Like ... syslog-over-udp?

3. Even under best conditions, what if two clients on the saddr network
simultaneously initiate a connection to daddr, how will you decide
which of the daddr ESP SPIs belongs to which saddr?