[Joy, thanks for flagging me to this. I am not in the habit of tracking lspp daily currently]
> -----Original Message----- > From: Joy Latten [mailto:[EMAIL PROTECTED] > On Wed, 2007-03-28 at 17:35 -0400, Paul Moore wrote: > > Well, I still did find one thing that was a bit odd, > perhaps you can help > > explain it to me. When I use the following SPD (where A > and B are IPv4 > > addresses, with the other end having the same policy but a shift in > > direction): > > > > spdadd A B[5300] tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd A[5300] B tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd B[5300] A tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > spdadd B A[5300] tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > > > spdadd A B[5300] udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd A[5300] B udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd B[5300] A udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > spdadd B A[5300] udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > > > ... and connect from B to A running netcat using both TCP > and UDP I find that > > both the UDP and TCP connections use the same SA on the > host generating the > > traffic. Based on the SPD above I wouldn't think that to > be the case ... > > > > I see this too. I took a brief look at the code and could not readily > find where we copy the selector info into the xfrm_state... SPD stands for Security Policy Database and has just that; policy. Once an SPD rule determines that a certain "flow/packet" needs to use an ipsec SA with certain characteristics (ah/esp/ipcomp/combo, transport/tunnel, etc.), an SA or SAs with the given characteristics are used. So, it's perfectly logical that the same SA would be used when the SA characteristics among the different policy rules are the same. Varying any of these characteristics and/or the label of the flow/packet should cause a different SA to be used. Let me know if you find otherwise. It's also possible to require unique SAs. See setkey(8), etc. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
