Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Remove unnecessary addresses in PF_KEY message.



details:   https://anonhg.NetBSD.org/src/rev/be5e2f39532c
branches:  trunk
changeset: 995515:be5e2f39532c
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Wed Dec 26 08:55:14 2018 +0000

description:
Remove unnecessary addresses in PF_KEY message.

MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5.  SPD Update
// snip
   SADB_X_SPDADD:
// snip
      sadb_x_ipsecrequest_reqid:

         An ID for that SA can be passed to the kernel in the
         sadb_x_ipsecrequest_reqid field.


      If tunnel mode is specified, the sadb_x_ipsecrequest structure is
      followed by two sockaddr structures that define the tunnel
      endpoint addresses.  In the case that transport mode is used, no
      additional addresses are specified.
====================
see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01

ipsecif(4) uses transport mode, so it should not add addresses.

diffstat:

 sys/net/if_ipsec.c |  11 ++---------
 sys/netipsec/key.c |  18 ++++++++++++++++--
 2 files changed, 18 insertions(+), 11 deletions(-)

diffs (72 lines):

diff -r 43603c13b170 -r be5e2f39532c sys/net/if_ipsec.c
--- a/sys/net/if_ipsec.c        Wed Dec 26 08:25:52 2018 +0000
+++ b/sys/net/if_ipsec.c        Wed Dec 26 08:55:14 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $  */
+/*     $NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.20 2018/12/26 08:55:14 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1595,14 +1595,7 @@
        padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl);
        if (policy == IPSEC_POLICY_IPSEC) {
                if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
-               /*
-                * secpolicy.req->saidx.{src, dst} must be set port number,
-                * when it is used for NAT-T.
-                */
-               if_ipsec_add_mbuf_addr_port(m, src, sport, false);
-               if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
                padlen -= PFKEY_ALIGN8(sizeof(xisr));
-               padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len);
        }
        if_ipsec_add_pad(m, padlen);
 
diff -r 43603c13b170 -r be5e2f39532c sys/netipsec/key.c
--- a/sys/netipsec/key.c        Wed Dec 26 08:25:52 2018 +0000
+++ b/sys/netipsec/key.c        Wed Dec 26 08:55:14 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $   */
+/*     $NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $      */
 /*     $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.258 2018/12/22 14:28:57 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.259 2018/12/26 08:55:14 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -1972,6 +1972,20 @@
                (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
 
                /* set IP addresses if there */
+               /*
+                * NOTE:
+                * MOBIKE Extensions for PF_KEY draft says:
+                *     If tunnel mode is specified, the sadb_x_ipsecrequest
+                *     structure is followed by two sockaddr structures that
+                *     define the tunnel endpoint addresses.  In the case that
+                *     transport mode is used, no additional addresses are
+                *     specified.
+                * see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01
+                *
+                * And then, the IP addresses will be set by
+                * ipsec_fill_saidx_bymbuf() from packet in transport mode.
+                * This behavior is used by NAT-T enabled ipsecif(4).
+                */
                if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
                        const struct sockaddr *paddr;
 



Home | Main Index | Thread Index | Old Index