net.ipsecif.use_fixed_reqid=1 -> 2

To: tech-net <tech-net%netbsd.org@localhost>
Subject: net.ipsecif.use_fixed_reqid=1 -> 2
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Wed, 13 May 2026 10:49:11 -0400

Hi,

with net.ipsecif.use_fixed_reqid=1 ipsec kernel policies get assigned
the magic IDs:

  IPv4: net.ipsecif.requid_base + 2 * UNIT + 0
  IPv6: net.ipsecif.requid_base + 2 * UNIT + 1

where net.ipsecif.requid_base=8192 by default. vis:

192.1.2.23[any] 192.1.2.45[any] 4(ipv4)
        in ipsec
        esp/transport//unique:8194
        spid=1 seq=3 pid=PID
        refcnt=0
192.1.2.23[any] 192.1.2.45[any] 41(ipv6)
        in ipsec
        esp/transport//unique:8195
        spid=3 seq=2 pid=PID
        refcnt=0
192.1.2.45[any] 192.1.2.23[any] 4(ipv4)
        out ipsec
        esp/transport//unique:8194
        spid=2 seq=1 pid=PID
        refcnt=0
192.1.2.45[any] 192.1.2.23[any] 41(ipv6)
        out ipsec
        esp/transport//unique:8195
        spid=4 seq=0 pid=PID
        refcnt=0

which means that for IPsec traffic to duplicate the kernel states for
the IPv4 policy

192.1.2.23 192.1.2.45
        esp mode=transport spi=SPISPI(0xSPISPI) reqid=8194(0x00002002)
...
192.1.2.45 192.1.2.23
        esp mode=transport spi=SPISPI(0xSPISPI) reqid=8194(0x00002002)
...

creating a separate pair for kernel states for the IPv6 policy.

Other than the small matter of evading code bear traps, can anyone see
a problem with extending net.ipsecif.use_fixed_reqid so that when set
to 2 it only generates one ID?
(a follow-on could be to drop the kernel policies).

In IKEv2, the norm is to create a single SA (kernel state) and then
use that for both IPv4 and IPv6 traffic.

Follow-Ups:
- Re: net.ipsecif.use_fixed_reqid=1 -> 2
  - From: Andrew Cagney

Prev by Date: Re: TCP and NET_MPSAFE
Next by Date: TCP RFC 6298 RTO handling
Previous by Thread: ixv(4) for SR-IOV on Intel NICs does not work
Next by Thread: Re: net.ipsecif.use_fixed_reqid=1 -> 2
Indexes:

Home | Main Index | Thread Index | Old Index