From: Paul Wouters Subject: Re: IPsec PFP support on linux Date: Tue, 2 May 2017 09:58:28 -0400 Message-ID: References: <20170502123238.GE5843@oracle.com> Mime-Version: 1.0 (1.0) Content-Type: multipart/mixed; boundary="===============0112520765574940320==" Cc: steffen.klassert@secunet.com, borisp@mellanox.com, swan@lists.libreswan.org, netdev@vger.kernel.org, ilant@mellanox.com, linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au To: Sowmini Varadhan Return-path: In-Reply-To: <20170502123238.GE5843@oracle.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: swan-bounces@lists.libreswan.org Sender: "Swan" List-Id: linux-crypto.vger.kernel.org --===============0112520765574940320== Content-Type: multipart/alternative; boundary=Apple-Mail-6FB7842E-2DA8-4EAD-9068-F24DDFFC3E40 Content-Transfer-Encoding: 7bit --Apple-Mail-6FB7842E-2DA8-4EAD-9068-F24DDFFC3E40 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I think you want to use Opportunistic IPsec, eg see=20 https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec Note that IKEv2 also allows you to define one connection and instantiate a c= onnection based on the trigger packet whose src/dst proto/port are included i= n the IKEv2 packet as traffic selectors. See RFC7296 and "narrowing". Paul Sent from my iPhone > On May 2, 2017, at 08:32, Sowmini Varadhan w= rote: >=20 > I have a question about linux support for IPsec PFP (as defined in > rfc 4301). I am assuming this exists, and is accessible from uspace, > in which case I need some hints on how to set it up. >=20 > Assuming I have a server listening at port 5001 that I want to > secure via ipsec. Suppose I want to make sure that each TCP/UDP 5-tuple > sending packets to port 5001 gets its own SA. >=20 > RFC4301 has this: >=20 > - SPD-S: For traffic that is to be protected using IPsec, the > entry consists of the values of the selectors that apply to the > traffic to be protected via AH or ESP, controls on how to > create SAs based on these selectors, ... >=20 > and further down > If IPsec processing is specified for > an entry, a "populate from packet" (PFP) flag may be asserted for > one or more of the selectors in the SPD entry (Local IP address; > Remote IP address; Next Layer Protocol; and, depending on Next > Layer Protocol, Local port and Remote port, or ICMP type/code, or > Mobility Header type). If asserted for a given selector X, the > flag indicates that the SA to be created should take its value for > X from the value in the packet. Otherwise, the SA should take its > value(s) for X from the value(s) in the SPD entry. >=20 > A google search produces a discarded patch > http://marc.info/?l=3Dlinux-netdev&m=3D119746758904140 > but its not clear to me how to set this up (if PFP works fine, > as suggested by Herbert's response above) >=20 > I tried experimenting with IP_XFRM_POLICY from a simple udp client but > (a) that seems to require a SPI and reqid to set up the SPD=20 > (b) I see the SADB_ACQUIRE upcall being triggered after the local port > is bound (and SADB entry is set up for the lport). But ike phase2 > does not converge for the lport specific sadb added > by the bind (even in quick mode) >=20 > My understanding is that pluto shoud be generating spi's to make sure > they are sufficiently unique/random etc. so (a) makes me think I'm > either not setting this up or not using this correctly. >=20 > Any hints/sample code/RTFMs would be helpful (documentation for > IP_XFRM_POLICY seems scant, afaict). I'd be happy to share my=20 > udp client program, if it can provide more context to my question. >=20 > --Sowmini >=20 > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan --Apple-Mail-6FB7842E-2DA8-4EAD-9068-F24DDFFC3E40 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I think you want to use Opportunistic I= Psec, eg see 


Note that IKEv2 also allows you to d= efine one connection and instantiate  a connection based on the trigger= packet whose src/dst proto/port are included in the IKEv2 packet as traffic= selectors. See RFC7296 and "narrowing".

Paul
=


Sent from my iPhone

On May 2= , 2017, at 08:32, Sowmini Varadhan <sowmini.varadhan@oracle.com> wrote:

I have a question about linux support for IPsec P= FP (as defined in
rfc 4301). I am assuming this exists, and i= s accessible from uspace,
in which case I need some hints on= how to set it up.

Assuming I have a server= listening at port 5001 that I want to
secure via ipsec. Sup= pose I want to make sure that each TCP/UDP 5-tuple
sending p= ackets to port 5001 gets its own SA.

RFC430= 1 has this:

     =  - SPD-S: For traffic that is to be protected using IPsec, the         entry consists of t= he values of the selectors that apply to the
  &n= bsp;     traffic to be protected via AH or ESP, con= trols on how to
       &= nbsp;create SAs based on these selectors, ...

and further down
     If IPsec p= rocessing is specified for
     an= entry, a "populate from packet" (PFP) flag may be asserted for
     one or more of the selectors in the SPD e= ntry (Local IP address;
     Remot= e IP address; Next Layer Protocol; and, depending on Next
&= nbsp;    Layer Protocol, Local port and Remote port, or I= CMP type/code, or
     Mobility He= ader type).  If asserted for a given selector X, the
&= nbsp;    flag indicates that the SA to be created should= take its value for
     X from th= e value in the packet.  Otherwise, the SA should take its
     value(s) for X from the value(s) in the SP= D entry.

A google search produces a discard= ed patch
 http://marc.info/?l=3Dlinux-netdev&m=3D119746= 758904140
but its not clear to me how to set this up (if= PFP works fine,
as suggested by Herbert's response above)

I tried experimenting with IP_XFRM_POLICY fr= om a simple udp client but
(a) that seems to require a SPI a= nd reqid to set up the SPD
(b) I see the SADB_ACQUIRE upcal= l being triggered after the local port
   is= bound (and SADB entry is set up for the lport).  But ike phase2=
   does not converge for the lport specific sadb a= dded
   by the bind (even in quick mode)

My understanding is that pluto shoud be genera= ting spi's to make sure
they are sufficiently unique/random e= tc. so (a) makes me think I'm
either not setting this up or n= ot using this correctly.

Any hints/sample c= ode/RTFMs would be helpful (documentation for
IP_XFRM_POLICY= seems scant, afaict). I'd be happy to share my
udp client p= rogram, if it can provide more context to my question.

--Sowmini

_____________________= __________________________
Swan mailing list
Swan@lists.libreswan.org
= https://lists.libreswan.org/mailman/listinfo/swan
= --Apple-Mail-6FB7842E-2DA8-4EAD-9068-F24DDFFC3E40-- --===============0112520765574940320== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0112520765574940320==--