Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,andrew.cagney%gmail.com@localhost
Subject: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
From: "Andrew Cagney via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Wed, 12 Feb 2025 15:10:01 +0000 (UTC)

The following reply was made to PR kern/59070; it has been noted by GNATS.

From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
To: Kengo Nakahara <k-nakahara%iij.ad.jp@localhost>
Cc: gnats-bugs%netbsd.org@localhost, kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, 
	netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Date: Wed, 12 Feb 2025 10:06:04 -0500

 On Tue, 11 Feb 2025 at 22:46, Kengo Nakahara <k-nakahara%iij.ad.jp@localhost> wrote:
 >
 > Hi,
 >
 > The behavior is by design.  I will update man later.

 There's something I'm not understanding.

 > >   Because different REQIDs are put on the IPv4 and IPv6 policy, I
 > >   presumably need to install four SAs:
 > >   - in reqid=IPv4
 > >   - in reqid=IPv6
 > >   - out reqid=IPv4
 > >   - out reqid=IPv6
 > >   instead of the standard two.

 One of IKEv2's SOPs is to establish a single ESP SA and use that to
 tunnel all traffic - both IPv4 and IPv6.
 Here, that would presumably mean creating SAs that are identical other
 than the REQID (same keys, same alg, same inbound/outbound SPIs).
 What I'm not understanding is how the kernel, given only the inbound
 SPI, can select the correct SA.  Perhaps it uses the Next Header
 field.

Prev by Date: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: kern/59070: net.ipsecif.use_fixed_reqid=1's behaviour
Next by Thread: lib/59071: libsaslc leaks private symbols
Indexes:

Home | Main Index | Thread Index | Old Index