On Thu, 2007-03-29 at 10:56 -0400, Paul Moore wrote: > On Thursday, March 29 2007 10:01:37 am Venkat Yekkirala wrote: > > > -----Original Message----- > > > From: Joy Latten [mailto:[EMAIL PROTECTED] > > > I see this too. I took a brief look at the code and could not readily > > > find where we copy the selector info into the xfrm_state... > > > > SPD stands for Security Policy Database and has just that; policy. Once > > an SPD rule determines that a certain "flow/packet" needs to use an ipsec > > SA with certain characteristics (ah/esp/ipcomp/combo, transport/tunnel, > > etc.), > > an SA or SAs with the given characteristics are used. So, it's perfectly > > logical that the same SA would be used when the SA characteristics > > among the different policy rules are the same. Varying any of these > > characteristics and/or the label of the flow/packet should cause a > > different SA to be used. Let me know if you find otherwise. It's also > > possible to require > > unique SAs. See setkey(8), etc. > > Yes I understand that, perhaps I am assuming to much about the way the setkey > command works. Maybe you or Joy could help me arrive at the correct > configuration for what I would like to do ... > > Basically I'm trying to have each SPD rule, i.e. each "spdadd" command to > setkey, from my previous email (copied again below) result in a new SA. For > example I would like a connection from A,B[5300],UDP to use a different SA > then a connection from A,B[5300],TCP. I know this is possible using > different IPsec implementations and would be *very* surprised to find this is > not the case for the current Linux kernel. Looking again at the setkey man > page, I wonder if swapping "require" for "unique" would accomplish this? > Paul, I am not very familiar with "unique" so let me know if it works for you.
But in general, I think the upper layer protocol specified in the policy is not necessarily used to create the SA. From what I can tell by looking at the code, the upper layer protocol specified in policy is used as one of the selectors to determine if the policy and flow matches. A udp flow should not use a policy with tcp specified. However, from what I could determine, the upper layer protocol is not used in negotiating an SA. What I am not able to figure out is where in the code do we fill in the selector fields for the xfrm_state. We do use the selectors to find the SA to create the bundle. I was curious to see what we put for protocol in the selector for SAs. But I am unable to find in code where xfrm_selector structure is filled for SAs! I saw in __xfrm4_init_tempsel() and in __xfrm4_find_acq() where we fill in selector for larval SAs. But these get deleted once we add real SA. Could not find where we fill in selectors for real SA! It has to get filled in or nothing would work. My guess is that selector's protocol for SAs is always set to ANY. Joy -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
