NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
The following reply was made to PR bin/47894; it has been noted by GNATS.
From: SUENAGA Hiroki <hsuenaga%openbsd.org@localhost>
To: Christos Zoulas <christos%zoulas.com@localhost>,
=?UTF-8?B?RWdlcnbDoXJ5IEdlcmdl?=
=?UTF-8?B?bHk=?= <gergely%egervary.hu@localhost>,
gnats-bugs%NetBSD.org@localhost,
gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc:
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Tue, 24 Jun 2014 11:18:07 +0900
(2014/06/21 1:00), Christos Zoulas wrote:
> I just looked at the patches (the xz file). There doesn't seem to be anything
> interesting there. Except the EDNS stuff, which is done incorrectly (it
> should
> be using the new resolver routines).
I looked linux kernel and found it simply ignores the checksum.
esp4.c
331 /*
332 * 2) ignore UDP/TCP checksums in case
...
338 if (x->props.mode == XFRM_MODE_TRANSPORT)
339 skb->ip_summed = CHECKSUM_UNNECESSARY;
The linux kernel always works without NAT-OAs. This is one decision,
integrity of IPsec packets are guaranteed by ESP-Auth, AES-GCM, or AH
in most case. Some old Internet-Drafts recommend this behavior. But
our racoon supports NAT-OA payload to keep the checksum consistency.
It's a little better to use it correctly.
I found racoon tells only one of NAT-OAi or NAT-OAr to NetBSD kernel.
If it telled both of NAT-OAi and NAT-OAr, we could update the checksum
independently from negotiation side.
newsum = oldsum + ipsrc + ipdst - NAT-OAi - NAT-OAr
I will fix the racoon, and the kernel to do this. If there is no NAT-OA,
linux compatible behavior should be good.
--
SUENAGA Hiroki <hsuenaga%netbsd.org@localhost>
facebook.com/hiroki.suenaga
PGP: 66B3 8939 6758 20BA F243 89EC 557A 8CFB ABA9 5E92
Home |
Main Index |
Thread Index |
Old Index