tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


Le 21/05/2018 à 17:47, Chuck Zmudzinski a écrit :
We would have to configure a remote host that uses the non-IKE markers and
doesn't use the RFC to test the way the kernel currently deals with that

Yes, and that's a case that we are not supposed to support. Just like we're
not supposed to support all the drafts that led to the many RFCs available
out there.

So I suggest we disable ENABLE_NATT_00. This will disable draft-00, in such a
way that racoon will never use non-IKE markers. Then we remove ESPINUDP_NON_IKE
from the kernel.

If we do this, we will find out if the old code was working and someone was
relying on it, because this will break it and that person will file a bug

What? The kernel code doesn't work in the first place.

Disabling NATT_00 on racoon under NetBSD does not remove a feature, since it
already doesn't work on NetBSD.

To me the current code in racoon is wrong, it shouldn't automatically use
non-IKE markers when there is no NAT-T.

And no, there won't be a bug report, for the same reason we didn't get a
report in the last 13 years about broken non-IKE markers in the kernel.

(Well, there was one guy that figured this out a few months ago, and it was

Can you recompile racoon without ENABLE_NATT_00 and test again? You should be
able to do so by uncommenting the #define in /src/lib/libipsec/config.h.

note: I meant _commenting_, as you probably understood.


It looks to me like that will work. I will try it when I get a chance. I can
most quickly test it on NetBSD 7.x because that is the version I am using in
my environment, and if that works as expected I will also test it with
NetBSD 8 and current and let you know what I find.


Home | Main Index | Thread Index | Old Index