[PATCH] IPsec NAT-T issue

2016-06-12 Thread Blair Steven 

During testing we have discovered an issue with IPsec NAT-T where the SPI
is over writing the source and dest ports of the UDP header. I'm not
super familiar with this code, but I've found a solution that seems
to work in my setup.

I'd like some feedback on this please, if it's the right thing to be doing
here, or if it should be done elsewhere.

Thanks very much

Blair Steven (1):
  esp: correct offset for ESN when using NAT-T

 net/ipv4/esp4.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.8.3

Re: [PATCH] IPsec NAT-T issue

2016-06-13 Thread Steffen Klassert 
On Mon, Jun 13, 2016 at 11:48:13AM +1200, Blair Steven wrote:
> 
> During testing we have discovered an issue with IPsec NAT-T where the SPI
> is over writing the source and dest ports of the UDP header. 

The headers should be restored after the crypto operation in
esp_restore_header(). Does this not happen in your case? What
kind of problem do you experience?

Re: [PATCH] IPsec NAT-T issue

2016-06-14 Thread Blair Steven 
The restoration is happening - but being actioned on the wrong location.

The destination IP address is being saved and restored, and the SPI 
being written directly after the destination IP address. From my 
understanding though, the ESN shuffling should have saved and restored 
the UDP source / dest ports + SPI.

-Blair

On 06/13/2016 10:20 PM, Steffen Klassert wrote:
> On Mon, Jun 13, 2016 at 11:48:13AM +1200, Blair Steven wrote:
>> During testing we have discovered an issue with IPsec NAT-T where the SPI
>> is over writing the source and dest ports of the UDP header.
> The headers should be restored after the crypto operation in
> esp_restore_header(). Does this not happen in your case? What
> kind of problem do you experience?
>

Re: [PATCH] IPsec NAT-T issue

2016-06-17 Thread Steffen Klassert 
On Wed, Jun 15, 2016 at 12:44:54AM +, Blair Steven wrote:
> The restoration is happening - but being actioned on the wrong location.
> 
> The destination IP address is being saved and restored, and the SPI 
> being written directly after the destination IP address. From my 
> understanding though, the ESN shuffling should have saved and restored 
> the UDP source / dest ports + SPI.

Yes, looks like we copy with a wrong offset if udp encapsulation
is used, skb_transport_header() does not point to the esp header
in this case. Ccing Herbert, he changed this part when switching
to the new AEAD interface with
commit 7021b2e1cddd ("esp4: Switch to new AEAD interface").

> 
> -Blair
> 
> On 06/13/2016 10:20 PM, Steffen Klassert wrote:
> > On Mon, Jun 13, 2016 at 11:48:13AM +1200, Blair Steven wrote:
> >> During testing we have discovered an issue with IPsec NAT-T where the SPI
> >> is over writing the source and dest ports of the UDP header.
> > The headers should be restored after the crypto operation in
> > esp_restore_header(). Does this not happen in your case? What
> > kind of problem do you experience?
> >