NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

The following reply was made to PR bin/47894; it has been noted by GNATS.

From: SUENAGA Hiroki <>
To: Christos Zoulas <>, 
 =?UTF-8?B?bHk=?= <>,,,
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Tue, 24 Jun 2014 11:18:07 +0900

 (2014/06/21 1:00), Christos Zoulas wrote:
 > I just looked at the patches (the xz file). There doesn't seem to be anything
 > interesting there. Except the EDNS stuff, which is done incorrectly (it 
 > should
 > be using the new resolver routines).
 I looked linux kernel and found it simply ignores the checksum.
 331                 /*
 332                  * 2) ignore UDP/TCP checksums in case
 338                 if (x->props.mode == XFRM_MODE_TRANSPORT)
 339                         skb->ip_summed = CHECKSUM_UNNECESSARY;
 The linux kernel always works without NAT-OAs. This is one decision,
 integrity of IPsec packets are guaranteed by ESP-Auth, AES-GCM, or AH
 in most case. Some old Internet-Drafts recommend this behavior. But
 our racoon supports NAT-OA payload to keep the checksum consistency.
 It's a little better to use it correctly.
 I found racoon tells only one of NAT-OAi or NAT-OAr to NetBSD kernel.
 If it telled both of NAT-OAi and NAT-OAr, we could update the checksum
 independently from negotiation side.
  newsum = oldsum + ipsrc + ipdst - NAT-OAi - NAT-OAr
 I will fix the racoon, and the kernel to do this. If there is no NAT-OA,
 linux compatible behavior should be good.
 SUENAGA Hiroki <>
 PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92

Home | Main Index | Thread Index | Old Index