We are trying to test linux IPSec and racoon IKE by using relatively
big SPDB and SADB (~4K - 16K entries). I have two specific questions
about security policy database in linux kernel.
-As i see, setkey only support adding policy to the end of the list,
by using PF_KEY socket interface how can i insert a policy to the
beginning or to a specific position in the list(by using an index or
before/after a policy entry), without flushing and reinserting all
SPD entries? i don't want to use priorty parameter for that, because i
think it may slow down policy lookup, and it will be hard to manage
priority of entries in long terms.
-According to RFC 4301: "The SPD is an ordered database. Thus, a user
or administrator MUST be able to order the entries to express a
desired access control policy." in Test 1, we have shown linux ipsec
behaviour is against this rule. It looks like a bug on hash table for
source and destination selectors with prefix length 32. Do you think
is it a bug or a feature?
Test scenarios are as follows:
Device Under Test: ip address: :192.168.101.1/24
DUT(192.168.101.1/24)----->(192.168.101.5/24) Host
TEST 1: Failed (src & dst in same network, selector prefix 32)
SuseDE1:~ # setkey -c
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out none;
spdadd 192.168.101.1/32 192.168.101.5/32 any -P out discard;
SuseDE1:~ # setkey -DP
192.168.101.0/24[any] 192.168.101.0/24[any] any
out prio def none
created: Aug 12 09:45:47 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1 seq=1 pid=4732
refcnt=1
192.168.101.1[any] 192.168.101.5[any] any
out prio def discard
created: Aug 12 09:45:48 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=9 seq=0 pid=4732
refcnt=1
SuseDE1:~ # ping 192.168.101.5 -I 192.168.101.1
PING 192.168.101.5 (192.168.101.5) from 192.168.101.1 : 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
.... --> Failed since second policy entry selected, not the first
matching entry in the list.
TEST 2: Passed (src & dst in different network,selector prefix 32)
spdadd 192.168.101.0/24 192.168.102.0/24 any -P out none;
spdadd 192.168.101.1/32 192.168.102.5/32 any -P out discard;
# ping->192.168.102.5 OK
TEST 3: Passed (src & dst in same network, selector prefix 24&32)
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out none;
spdadd 192.168.101.1/24 192.168.101.5/32 any -P out discard;
# ping->192.168.101.5 OK
TEST 4: Passed (src & dst in same network, using priority)
spdadd 192.168.101.0/24 192.168.101.0/24 any -P out prio 2 none;
spdadd 192.168.101.1/32 192.168.101.5/32 any -P out prio 1 discard;
# ping->192.168.101.5 OK
Thanks...
Ural
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
