netbsd-bugs: kern/34843: FAST

Subject: kern/34843: FAST_IPSEC and "use"
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <jakllsch@kollasch.net>
List: netbsd-bugs
Date: 10/17/2006 20:25:05

>Number:         34843
>Category:       kern
>Synopsis:       "use" level policy doesn't seem to work right w/ FAST_IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 17 20:25:05 +0000 2006
>Originator:     Jonathan A. Kollasch
>Release:        NetBSD 3.0
>Organization:
>Environment:
System: NetBSD kirkkit.kollasch.net 3.0 NetBSD 3.0 (KIRKKIT) #2: Mon Oct 16 21:27:42 CDT 2006 root@kirkkit.kollasch.net:/usr/src/sys/arch/i386/compile/KIRKKIT i386
Architecture: i386
Machine: i386
>Description:

policy like this:

spdadd -4 0.0.0.0/0 10.0.0.0/24 any -P out ipsec
esp/transport//use;
spdadd -4 10.0.0.0/24 0.0.0.0/0 any -P in ipsec
esp/transport//use;

under KAME IPsec)  allows this host to communitcate with a
non-IPsec-enabled host.  additionally, IPsec is used
when the other end responds w/ appropriate ISAKMP packets.

under FAST_IPSEC)  sending fails with EINVAL when a SA does
not exist (yet).  this practically makes the "use" level
useless.

>How-To-Repeat:
Using FAST_IPSEC, attempt to use the "use" level to contact
a host that doesn't support IPsec.

>Fix:
Unknown.