NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports



The following reply was made to PR bin/47894; it has been noted by GNATS.

From: SUENAGA Hiroki <hsuenaga%openbsd.org@localhost>
To: Christos Zoulas <christos%zoulas.com@localhost>, 
=?UTF-8?B?RWdlcnbDoXJ5IEdlcmdl?=
 =?UTF-8?B?bHk=?= <gergely%egervary.hu@localhost>, 
gnats-bugs%NetBSD.org@localhost, 
 gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Tue, 24 Jun 2014 11:18:07 +0900

 (2014/06/21 1:00), Christos Zoulas wrote:
 > I just looked at the patches (the xz file). There doesn't seem to be anything
 > interesting there. Except the EDNS stuff, which is done incorrectly (it 
 > should
 > be using the new resolver routines).
 
 I looked linux kernel and found it simply ignores the checksum.
 
 esp4.c
 331                 /*
 332                  * 2) ignore UDP/TCP checksums in case
 ...
 338                 if (x->props.mode == XFRM_MODE_TRANSPORT)
 339                         skb->ip_summed = CHECKSUM_UNNECESSARY;
 
 The linux kernel always works without NAT-OAs. This is one decision,
 integrity of IPsec packets are guaranteed by ESP-Auth, AES-GCM, or AH
 in most case. Some old Internet-Drafts recommend this behavior. But
 our racoon supports NAT-OA payload to keep the checksum consistency.
 It's a little better to use it correctly.
 
 
 I found racoon tells only one of NAT-OAi or NAT-OAr to NetBSD kernel.
 If it telled both of NAT-OAi and NAT-OAr, we could update the checksum
 independently from negotiation side.
 
  newsum = oldsum + ipsrc + ipdst - NAT-OAi - NAT-OAr
 
 I will fix the racoon, and the kernel to do this. If there is no NAT-OA,
 linux compatible behavior should be good.
 
 -- 
 SUENAGA Hiroki <hsuenaga%netbsd.org@localhost>
 facebook.com/hiroki.suenaga
 
 PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92
 


Home | Main Index | Thread Index | Old Index