* Regarding xfrm state search with destination address as wildcard mask
@ 2017-07-06 6:51 Balaji Foss
2017-07-11 11:28 ` Balaji Foss
0 siblings, 1 reply; 2+ messages in thread
From: Balaji Foss @ 2017-07-06 6:51 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, herbert
Hi All,
Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel
version 3.16.39.
Requirement is to support IPsec encryption/authentication for ospfv3 traffic.
As of now, this can be achieved by following set of SA and SP rules.
ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport
auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport
auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode
transport auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode
transport auth "hmac(sha1)" 0x12345678123456781234567812345678
ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto
ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
use
ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto
ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
use
One can notice that it needs four SA rules to achieve IPsec for single
OSPF interface.
Instead of these four rules, can we have a single rule with DIP as
wild card mask and the xfrm state search as based on SPI ,family and
proto alone?
As of now, the API "__xfrm_state_lookup" search based on
SPI,family,proto and dest_addr. Is there any way I can achieve the SA
lookup without dest_addr and only with SPI,family and proto alone?
Any help or pointers is greatly appreciated.
Regards
Bala
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Regarding xfrm state search with destination address as wildcard mask
2017-07-06 6:51 Regarding xfrm state search with destination address as wildcard mask Balaji Foss
@ 2017-07-11 11:28 ` Balaji Foss
0 siblings, 0 replies; 2+ messages in thread
From: Balaji Foss @ 2017-07-11 11:28 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Herbert Xu
Hi
Any help on this query is greatly appreciated.
Thanks,
- Balaji
On Thu, Jul 6, 2017 at 12:21 PM, Balaji Foss <balajig.foss@gmail.com> wrote:
> Hi All,
>
> Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel
> version 3.16.39.
> Requirement is to support IPsec encryption/authentication for ospfv3 traffic.
> As of now, this can be achieved by following set of SA and SP rules.
>
> ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport
> auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport
> auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode
> transport auth "hmac(sha1)" 0x12345678123456781234567812345678
> ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode
> transport auth "hmac(sha1)" 0x12345678123456781234567812345678
>
> ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto
> ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
> use
> ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto
> ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level
> use
>
>
> One can notice that it needs four SA rules to achieve IPsec for single
> OSPF interface.
> Instead of these four rules, can we have a single rule with DIP as
> wild card mask and the xfrm state search as based on SPI ,family and
> proto alone?
>
> As of now, the API "__xfrm_state_lookup" search based on
> SPI,family,proto and dest_addr. Is there any way I can achieve the SA
> lookup without dest_addr and only with SPI,family and proto alone?
>
> Any help or pointers is greatly appreciated.
>
> Regards
> Bala
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-07-11 11:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-06 6:51 Regarding xfrm state search with destination address as wildcard mask Balaji Foss
2017-07-11 11:28 ` Balaji Foss
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.