Upon doing some initial testing of the IPSec implementation in the 2.6 series kernel in conjunction with racoon as the IKE daemon, I came across the following behavior: When using IPv4, if, on a blocking socket, a UDP packet is sent (using sendto) that requires IPSec protection, and the IPSec security association has not been set up yet, then the sendto call blocks until the IPSec security association has been negotiated by the IKE daemon. However, when the same test is performed using an IPv6 socket, the sendto call returns immediately with errno being set to ENETUNREACH. This happens irregardless of whether the O_NONBLOCK socket option has been set or not. The behavior should be consistent between IPv4 and IPv6.
Location of problem: The ip6_dst_lookup function calls xfrm_lookup, passing in 0 for the flags, whereas the equivalent function in the IPv4 code (ip_route_output_flow) calls xfrm_lookup function passing in the flags that udp_sendmsg passes it, which are computed based on whether the MSG_DONTWAIT flag is set in msg->msg_flags. In order to behave the same as the IPv4 code, the ip6_dst_lookup function needs to be passed the same flags so that it can in turn pass them to the xfrm_lookup function, so that the appropriate behavior is insured. Furthermore, if the socket is in non-blocking mode, then errno should be set to EAGAIN if an IPSec security association must be established.
Keywords: networking IPSec
Kernel version: 2.6.0-test2-bk8
To replicate this problem, put a security policy in the SPD that requires outbound UDP traffic to be secured with IPSec. Then, with an IKE daemon running, call sendto on an IPv6 socket. sendto will return -1, with errno set to ENETUNREACH. Once the IPSec SA is established, subsequent calls to sendto will behave properly.
Brian Buesker
- : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
