Re: IPsec vs ssh

[SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>]

2013/11/14 5:19、Darren Reed <darrenr%netbsd.org@localhost>：

> 06:22:46.477581
> sadb_msg{ version=2 type=1(GETSPI) errno=0 satype=3 len=10 reserved=0 seq=3 
> pid=13808
> sadb_ext{ len=2 type=1 }
> sadb_sa{ spi=192737835 replay=64 state=6 auth=76 encrypt=125 flags=0xfe01a8c0 
> }
> sadb_ext{ len=3 type=5 }
> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
> sockaddr{ len=16 family=2 port=4500 8da1044d  }
> sadb_ext{ len=3 type=6 }
> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
> sockaddr{ len=16 family=2 port=4500 0a0103fe  }

this GETSPI message lacks NAT-T-TYPE and NAT-T-PORT payloads,
though the UPDATE message has NAT-T payloads. I think this
is incorrect message sequence.

original racoon adds the NAT-T payloads around here.

 (racoon/pfkey.c)
 894 int
 895 pk_sendgetspi(iph2)
 896         struct ph2handle *iph2;
 897 {
 ...
 957 #ifdef ENABLE_NATT
 958                 if (pr->udp_encap) {
 959                         natt_type = iph2->ph1->natt_options->encaps_type;
 960                         sport=extract_port(src);
 961                         dport=extract_port(dst);
 962                 }
 963 #endif
 ...
 966                 if (pfkey_send_getspi_nat(
 967                                 lcconf->sock_pfkey,
 968                                 satype,
 969                                 mode,
 970                                 dst,                    /* src of SA */
 971                                 src,                    /* dst of SA */
 972                                 natt_type,
 973                                 dport,
 974                                 sport,
 ...

----------
Internet Initiative Japan Inc.

Management Service Section,
Product Development Department,
Product Division,
Technology Unit

SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>