Re: [PATCH] IPSec anti-replay sequence numbers
KOVACS Krisztian wrote: Hi, On Friday 05 August 2005 12.50, Patrick McHardy wrote: Is there already userspace code which uses this feature somewhere? AFAIK Ulrich has a patch for OpenSWAN, and we (Balabit) have a patch for racoon. Unfortunately this racoon version is available only as a commercial product. The patch for openswan is nearly finished and will be released around the end of this year. In my first post I split the patch into three pieces, two to get the sequence numbers with pf_key and netlink/xfrm, and one to set/inform about the sequence numbers over netlink/xfrm. IMHO der first two are useful for everyone using ipsec under linux, so it would be great if these two would flow into the vanilla kernel. The latter one must be determined if it's useful to add it to the vanilla kernel and if yes, in which form. Best regards Ulrich - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPSec anti-replay sequence numbers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 KOVACS Krisztian wrote: > Ulrich, I already have some code which supports per-state > difference settings, along with optional time limits. I don't know > whether or not the latter would be necessary or not, but putting > the per-state diff values would be trivial. I'll send a patch in a > couple of days if I find the time to hack it together. > Ok great :) > Why do you need the pid and seq argument here? The sequence number > is redundant information anyway. In turn, you don't seem to pass > the event in to the notify_seq() callback, which could be handy in > some cases. So IMHO something like > > notify_seq(struct xfrm_state *x, int event) > > would be more general. > I need it to distinguish between unicast (userspace wants a seq nr) or multicast (inform userspace about new seq nr) netlink messages. Seq stands here for Netlink seq nr. I'll have a look if I can wrap it another way. Best regards Ulrich -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC8j+g22t2oTuElzoRAlpTAJ9CuaW1MoHZ0P1IjsIb8UdGavOb3ACfY5CK epoVhuRj/aYA5Jcpjhm1frc= =tmgD -END PGP SIGNATURE- - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPSec anti-replay sequence numbers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi All,
thanks for revising Patrick! Attached is the updated patch.
Sorry had no time yet to remove the sysctl variables.
It will follow in a few weeks if I have more time :)
Best regards
Ulrich
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC8fRi22t2oTuElzoRAkPIAJ40Ej2cs+1DX2IYiVcpr/OF8dUKJgCeJj6T
o639zBMfTeeEwY1OgxRcsw0=
=ggAG
-END PGP SIGNATURE-
diff -Nru linux-2.6.13-rc3.org/include/linux/sysctl.h
linux-2.6.13-rc3/include/linux/sysctl.h
--- linux-2.6.13-rc3.org/include/linux/sysctl.h 2005-07-18 10:24:11.0
+0200
+++ linux-2.6.13-rc3/include/linux/sysctl.h 2005-07-19 10:10:22.0
+0200
@@ -253,6 +253,8 @@
NET_CORE_DEV_WEIGHT=17,
NET_CORE_SOMAXCONN=18,
NET_CORE_BUDGET=19,
+ NET_CORE_XFRM_SEQDIFF_IN=20,
+ NET_CORE_XFRM_SEQDIFF_OUT=21,
};
/* /proc/sys/net/ethernet */
diff -Nru linux-2.6.13-rc3.org/include/linux/xfrm.h
linux-2.6.13-rc3/include/linux/xfrm.h
--- linux-2.6.13-rc3.org/include/linux/xfrm.h 2005-07-18 10:49:43.0
+0200
+++ linux-2.6.13-rc3/include/linux/xfrm.h 2005-07-19 10:10:22.0
+0200
@@ -140,6 +140,9 @@
XFRM_MSG_FLUSHPOLICY,
#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+ XFRM_MSG_UPDSEQ,
+#define XFRM_MSG_UPDSEQ XFRM_MSG_UPDSEQ
+
__XFRM_MSG_MAX
};
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -263,5 +266,6 @@
#define XFRMGRP_EXPIRE 2
#define XFRMGRP_SA 4
#define XFRMGRP_POLICY 8
+#define XFRMGRP_REPLAY 16
#endif /* _LINUX_XFRM_H */
diff -Nru linux-2.6.13-rc3.org/include/net/xfrm.h
linux-2.6.13-rc3/include/net/xfrm.h
--- linux-2.6.13-rc3.org/include/net/xfrm.h 2005-07-18 10:24:11.0
+0200
+++ linux-2.6.13-rc3/include/net/xfrm.h 2005-08-04 12:28:36.0 +0200
@@ -134,6 +134,9 @@
/* State for replay detection */
struct xfrm_replay_state replay;
+ /* Replay detection state at the time we sent the last notification */
+ struct xfrm_replay_state preplay;
+
/* Statistics */
struct xfrm_stats stats;
@@ -301,6 +304,10 @@
struct xfrm_tmplxfrm_vec[XFRM_MAX_DEPTH];
};
+/* which seqno */
+#define XFRM_REPLAY_INBOUND1
+#define XFRM_REPLAY_OUTBOUND 2
+
#define XFRM_KM_TIMEOUT30
struct xfrm_mgr
@@ -312,6 +319,7 @@
struct xfrm_policy *(*compile_policy)(u16 family, int opt, u8
*data, int len, int *dir);
int (*new_mapping)(struct xfrm_state *x,
xfrm_address_t *ipaddr, u16 sport);
int (*notify_policy)(struct xfrm_policy *x, int
dir, struct km_event *c);
+ int (*notify_seq)(struct xfrm_state *x, u32 pid,
u32 seq);
};
extern int xfrm_register_km(struct xfrm_mgr *km);
@@ -838,6 +846,8 @@
extern void xfrm_state_flush(u8 proto);
extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
+extern void xfrm_replay_notify(struct xfrm_state *x, int event);
+extern void xfrm_state_replay_update(struct xfrm_state *x, struct
xfrm_replay_state *replay);
extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
extern int xfrm_init_state(struct xfrm_state *x);
@@ -888,6 +898,7 @@
struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
xfrm_address_t *daddr, xfrm_address_t *saddr,
int create, unsigned short family);
+extern void km_replay_notify(struct xfrm_state *);
extern void xfrm_policy_flush(void);
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy
*pol);
extern int xfrm_flush_bundles(void);
diff -Nru linux-2.6.13-rc3.org/net/core/sysctl_net_core.c
linux-2.6.13-rc3/net/core/sysctl_net_core.c
--- linux-2.6.13-rc3.org/net/core/sysctl_net_core.c 2005-07-18
10:24:11.0 +0200
+++ linux-2.6.13-rc3/net/core/sysctl_net_core.c 2005-07-19 10:10:22.0
+0200
@@ -31,6 +31,11 @@
extern char sysctl_divert_version[];
#endif /* CONFIG_NET_DIVERT */
+#ifdef CONFIG_XFRM
+extern u32 sysctl_xfrm_seqdiff_in;
+extern u32 sysctl_xfrm_seqdiff_out;
+#endif /* CONFIG_XFRM */
+
ctl_table core_table[] = {
#ifdef CONFIG_NET
{
@@ -116,6 +121,24 @@
.proc_handler = &proc_dostring
},
#endif /* CONFIG_NET_DIVERT */
+#ifdef CONFIG_XFRM
+ {
+ .ctl_name = NET_CORE_XFRM_SEQDIFF_IN,
+ .procname = "xfrm_seqdiff_in",
+ .data = &sysctl_xfrm_seqdiff_in,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
+ {
+ .ctl_name = NET_CORE_XFRM_SEQDIFF_O
[PATCH] IPSec anti-replay sequence numbers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
IPSec uses sequence numbers to protect against replay attacks.
So far there is no way to get or set these sequence numbers in the kernel.
The attached patches will remedy these issues. Any comments are
welcome! :)
I would be pleased if at least 2.6.13-rc3_ipsec_pfkey_seqnr.diff and
2.6.13-rc3_ipsec_xfrm_seqnr.diff find there way in the vanilla kernel.
Best regards
Ulrich
2.6.13-rc3_ipsec_pfkey_seqnr.diff:
Get sequence numbers over the pf_key interface. Command "setkey -D".
Credits go to Hiroyuki YAMAMORI
(http://www.linux-ipv6.org/ml/usagi-users/msg02909.html)
2.6.13-rc3_ipsec_xfrm_seqnr.diff:
Get sequence numbers over the XFRM/Netlink interface. Therefore a new
XFRM attribute
(XFRMA_REPLAY) is added every SA dump. Please see
iproute2-2.6.11-050330_XFRMA_REPLAY.diff
to use with "ip -s xfrm state".
2.6.13-rc3_ipsec_set_xfrm_seqnr.diff:
For IPSec HA solutions it is necessary to be informed about sequence
number changes
and to set the sequence number counter of installed SAs. Therefore a
new XFRM group
(XFRMGRP_REPLAY) was added with a new XFRM message type XFRM_MSG_UPDSEQ.
These XFRM_MSG_UPDSEQ messages can be used to inform in intervals
about changed
sequence numbers (an inbound and outbound interval is used, set via
sysctl) and
to set sequence numbers of installed SAs. In addition, it is possible
to install SAs with
an given XFRMA_REPLAY attribute as initial sequence number value.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC23uH22t2oTuElzoRAvUyAKCkGSwFnqOjs6RnAI9IoZyd9Zk0mgCdGbuB
iIvA8vPtWJ0htDiaIxJ6mls=
=4f66
-END PGP SIGNATURE-
diff -Nru linux-2.6.13-rc3.org/net/key/af_key.c linux-2.6.13-rc3/net/key/af_key.c
--- linux-2.6.13-rc3.org/net/key/af_key.c 2005-07-18 10:24:12.0 +0200
+++ linux-2.6.13-rc3/net/key/af_key.c 2005-07-18 10:47:15.0 +0200
@@ -868,7 +868,7 @@
sa2->sadb_x_sa2_mode = x->props.mode + 1;
sa2->sadb_x_sa2_reserved1 = 0;
sa2->sadb_x_sa2_reserved2 = 0;
- sa2->sadb_x_sa2_sequence = 0;
+ sa2->sadb_x_sa2_sequence = x->replay.seq ? x->replay.seq : x->replay.oseq;
sa2->sadb_x_sa2_reqid = x->props.reqid;
if (natt && natt->encap_type) {
diff -Nru linux-2.6.13-rc3.org/include/linux/sysctl.h linux-2.6.13-rc3/include/linux/sysctl.h
--- linux-2.6.13-rc3.org/include/linux/sysctl.h 2005-07-18 10:24:11.0 +0200
+++ linux-2.6.13-rc3/include/linux/sysctl.h 2005-07-18 10:49:54.0 +0200
@@ -253,6 +253,8 @@
NET_CORE_DEV_WEIGHT=17,
NET_CORE_SOMAXCONN=18,
NET_CORE_BUDGET=19,
+ NET_CORE_XFRM_SEQDIFF_IN=20,
+ NET_CORE_XFRM_SEQDIFF_OUT=21,
};
/* /proc/sys/net/ethernet */
diff -Nru linux-2.6.13-rc3.org/include/linux/xfrm.h linux-2.6.13-rc3/include/linux/xfrm.h
--- linux-2.6.13-rc3.org/include/linux/xfrm.h 2005-07-18 10:49:43.0 +0200
+++ linux-2.6.13-rc3/include/linux/xfrm.h 2005-07-18 10:49:54.0 +0200
@@ -140,6 +140,9 @@
XFRM_MSG_FLUSHPOLICY,
#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+ XFRM_MSG_UPDSEQ,
+#define XFRM_MSG_UPDSEQ XFRM_MSG_UPDSEQ
+
__XFRM_MSG_MAX
};
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -263,5 +266,6 @@
#define XFRMGRP_EXPIRE 2
#define XFRMGRP_SA 4
#define XFRMGRP_POLICY 8
+#define XFRMGRP_REPLAY 16
#endif /* _LINUX_XFRM_H */
diff -Nru linux-2.6.13-rc3.org/include/net/xfrm.h linux-2.6.13-rc3/include/net/xfrm.h
--- linux-2.6.13-rc3.org/include/net/xfrm.h 2005-07-18 10:24:11.0 +0200
+++ linux-2.6.13-rc3/include/net/xfrm.h 2005-07-18 10:49:54.0 +0200
@@ -134,6 +134,9 @@
/* State for replay detection */
struct xfrm_replay_state replay;
+ /* Replay detection state at the time we sent the last notification */
+ struct xfrm_replay_state preplay;
+
/* Statistics */
struct xfrm_stats stats;
@@ -301,6 +304,11 @@
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
};
+/* which seqno */
+#define XFRM_REPLAY_INBOUND 1
+#define XFRM_REPLAY_OUTBOUND 2
+#define XFRM_REPLAY_BOUND_MASK 3
+
#define XFRM_KM_TIMEOUT 30
struct xfrm_mgr
@@ -312,6 +320,7 @@
struct xfrm_policy *(*compile_policy)(u16 family, int opt, u8 *data, int len, int *dir);
int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c);
+ int (*notify_seq)(struct xfrm_state *x, u32, u32);
};
extern int xfrm_register_km(struct xfrm_mgr *km);
@@ -838,6 +847,8 @@
extern void xfrm_state_flush(u8 proto);
extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
+extern void xfrm_replay_notify(struct xfrm_state *x, int event);
+extern void xfrm_state_replay_update(struct xfrm_state *x, struct xfrm_replay_state *replay);
extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb);
extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
extern int xfrm_init_state(struct xfrm_
