Re: net.ipsecif.use_fixed_reqid=1 -> 2

[Andrew Cagney <andrew.cagney%gmail.com@localhost>]

any thoughts?

On Wed, 13 May 2026 at 10:49, Andrew Cagney <andrew.cagney%gmail.com@localhost> wrote:
>
> Hi,
>
> with net.ipsecif.use_fixed_reqid=1 ipsec kernel policies get assigned
> the magic IDs:
>
>   IPv4: net.ipsecif.requid_base + 2 * UNIT + 0
>   IPv6: net.ipsecif.requid_base + 2 * UNIT + 1
>
> where net.ipsecif.requid_base=8192 by default. vis:
>
> 192.1.2.23[any] 192.1.2.45[any] 4(ipv4)
>         in ipsec
>         esp/transport//unique:8194
>         spid=1 seq=3 pid=PID
>         refcnt=0
> 192.1.2.23[any] 192.1.2.45[any] 41(ipv6)
>         in ipsec
>         esp/transport//unique:8195
>         spid=3 seq=2 pid=PID
>         refcnt=0
> 192.1.2.45[any] 192.1.2.23[any] 4(ipv4)
>         out ipsec
>         esp/transport//unique:8194
>         spid=2 seq=1 pid=PID
>         refcnt=0
> 192.1.2.45[any] 192.1.2.23[any] 41(ipv6)
>         out ipsec
>         esp/transport//unique:8195
>         spid=4 seq=0 pid=PID
>         refcnt=0
>
> which means that for IPsec traffic to duplicate the kernel states for
> the IPv4 policy
>
> 192.1.2.23 192.1.2.45
>         esp mode=transport spi=SPISPI(0xSPISPI) reqid=8194(0x00002002)
> ...
> 192.1.2.45 192.1.2.23
>         esp mode=transport spi=SPISPI(0xSPISPI) reqid=8194(0x00002002)
> ...
>
> creating a separate pair for kernel states for the IPv6 policy.
>
> Other than the small matter of evading code bear traps, can anyone see
> a problem with extending net.ipsecif.use_fixed_reqid so that when set
> to 2 it only generates one ID?
> (a follow-on could be to drop the kernel policies).
>
> In IKEv2, the norm is to create a single SA (kernel state) and then
> use that for both IPv4 and IPv6 traffic.