mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-06 11:39:24 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/xfrm
History
Antony Antony a486cd2366 xfrm: fix state migration copy replay sequence numbers 
During xfrm migration copy replay and preplay sequence numbers
from the previous state.

Here is a tcpdump output showing the problem.
10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder.
After the migration it sent wrong sequence number, reset to 1.
The migration is from 10.0.0.52 to 10.0.0.53.

IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136
IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136
IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136
IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136

IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa  inf2[I]
IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa  inf2[R]
IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa  inf2[I]
IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa  inf2[R]

IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136

NOTE: next sequence is wrong 0x1

IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136
IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136
IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136

Signed-off-by: Antony Antony <antony@phenome.org>
Reviewed-by: Richard Guy Briggs <rgb@tricolour.ca>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-05-19 12:49:13 +02:00
..
Kconfig Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
Makefile xfrm: Add an IPsec hardware offloading API 2017-04-14 10:06:10 +02:00
xfrm_algo.c xfrm: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
xfrm_device.c xfrm: Fix NETDEV_DOWN with IPSec offload 2017-05-08 09:41:09 +02:00
xfrm_hash.c
xfrm_hash.h xfrm: use "unsigned int" in __xfrm6_pref_hash() 2017-03-24 07:03:12 +01:00
xfrm_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
xfrm_ipcomp.c
xfrm_output.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm_policy.c xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY 2017-05-04 07:30:59 +02:00
xfrm_proc.c proc: Reduce cache miss in xfrm_statistics_seq_show 2016-09-30 01:50:45 -04:00
xfrm_replay.c xfrm: Add xfrm_replay_overflow functions for offloading 2017-04-14 10:07:01 +02:00
xfrm_state.c xfrm: fix state migration copy replay sequence numbers 2017-05-19 12:49:13 +02:00
xfrm_sysctl.c net: xfrm: Change u32 sysctl entries to use proc_douintvec 2016-09-07 23:17:53 -07:00
xfrm_user.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00