Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

[SUENAGA Hiroki <hsuenaga%openbsd.org@localhost>]

(2014/06/21 1:00), Christos Zoulas wrote:
> I just looked at the patches (the xz file). There doesn't seem to be anything
> interesting there. Except the EDNS stuff, which is done incorrectly (it should
> be using the new resolver routines).

I looked linux kernel and found it simply ignores the checksum.

esp4.c
331                 /*
332                  * 2) ignore UDP/TCP checksums in case
...
338                 if (x->props.mode == XFRM_MODE_TRANSPORT)
339                         skb->ip_summed = CHECKSUM_UNNECESSARY;

The linux kernel always works without NAT-OAs. This is one decision,
integrity of IPsec packets are guaranteed by ESP-Auth, AES-GCM, or AH
in most case. Some old Internet-Drafts recommend this behavior. But
our racoon supports NAT-OA payload to keep the checksum consistency.
It's a little better to use it correctly.


I found racoon tells only one of NAT-OAi or NAT-OAr to NetBSD kernel.
If it telled both of NAT-OAi and NAT-OAr, we could update the checksum
independently from negotiation side.

 newsum = oldsum + ipsrc + ipdst - NAT-OAi - NAT-OAr

I will fix the racoon, and the kernel to do this. If there is no NAT-OA,
linux compatible behavior should be good.

-- 
SUENAGA Hiroki <hsuenaga%netbsd.org@localhost>
facebook.com/hiroki.suenaga

PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92