Re: IPSec ESN: Packets decryption fail with ESN enabled connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04-01-2019 14:04, Steffen Klassert wrote:
> On Thu, Jan 03, 2019 at 04:16:56PM +0530, Harsh Jain wrote:
>> On 02-01-2019 18:21, Herbert Xu wrote:
>>> Does this occur if you use software crypto on the receiving end
>>> while keeping the sending end unchanged?
>> I tried with "authencesn(hmac(sha1-ssse3),cbc(aes-asm))" on both sides.
>>
>> Server : iperf  -s  -w 512k  -p 20002
>>
>> Client : iperf  -t 60 -w 512k -l 2048 -c 1.0.0.96 -P 32 -p 20002
>>
>>> If not then I would start debugging this within your driver.
>> ESP Packet whose's sequence No. is out of window gets dropped with EBADMSG.  It seems that "xfrm_replay_seqhi" intentionally increments the "seq_hi" to fail verification for Out of seq packet.
> Yes, this is defined in RFC 4303 Appendix A2.2.

Thanks, It means we cannot avoid verification part for packets with low seql.





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux