UDP_ENCAP_ESPINUDP_NON_IKE

[Maxime Villard <max%m00nbsd.net@localhost>]

I think it would be good to retire UDP_ENCAP_ESPINUDP_NON_IKE. It is not
part of any RFC, it was just introduced in a draft, and then subsequently
removed from that draft.

RFC3948 makes authority, and it documents only the Non-ESP marker - that
is to say, UDP_ENCAP_ESPINUDP.

I think we are not supposed to support undocumented options.

FreeBSD did the same, see [1]. OpenBSD has never had that, it seems.

The reason I'm bringing this, is because there appears to be a bug with
UDP_ENCAP_ESPINUDP_NON_IKE, in udp_usrreq.c:

1317         skip = sizeof(struct udphdr) + 2 * sizeof(uint32_t);
1318     }
1319
1320     /*
1321      * Get the UDP ports. They are handled in network order
1322      * everywhere in the IPSEC_NAT_T code.
1323      */
1324     udphdr = (struct udphdr *)((char *)data - skip);

Here we have:

    data = mtod(m) + IP_header_len + sizeof(struct udphdr)

So it is wrong to substract 'skip', because then 'udphdr' will point to
some data in the IP header. I'm not sure if it means the code has never
worked, or if I'm just completely misreading it.

What do you think? I asked Ryota and Kengo, they don't know. One concern is
raccoon, because it supports each draft that led to the RFC [2]. To me this
is wrong too, there shouldn't be support for temporary specs, that have no
meaning once the RFC is out.

Don't know.

Maxime

[1] http://freshbsd.org/commit/freebsd/r309808
[2] https://nxr.netbsd.org/xref/src/crypto/dist/ipsec-tools/src/racoon/vendorid.c#67