Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour

To: Kengo Nakahara <k-nakahara%iij.ad.jp@localhost>
Subject: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Wed, 12 Feb 2025 10:06:04 -0500

On Tue, 11 Feb 2025 at 22:46, Kengo Nakahara <k-nakahara%iij.ad.jp@localhost> wrote:
>
> Hi,
>
> The behavior is by design.  I will update man later.

There's something I'm not understanding.

> >   Because different REQIDs are put on the IPv4 and IPv6 policy, I
> >   presumably need to install four SAs:
> >   - in reqid=IPv4
> >   - in reqid=IPv6
> >   - out reqid=IPv4
> >   - out reqid=IPv6
> >   instead of the standard two.

One of IKEv2's SOPs is to establish a single ESP SA and use that to
tunnel all traffic - both IPv4 and IPv6.
Here, that would presumably mean creating SAs that are identical other
than the REQID (same keys, same alg, same inbound/outbound SPIs).
What I'm not understanding is how the kernel, given only the inbound
SPI, can select the correct SA.  Perhaps it uses the Next Header
field.

References:
- Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
  - From: Andrew Cagney
- Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
  - From: Kengo Nakahara

Prev by Date: Re: Re: bin/59046: dhcpd issue
Next by Date: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Previous by Thread: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Next by Thread: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Indexes:

Home | Main Index | Thread Index | Old Index