[redhat-lspp] Labeled IPsec and UDP ... not quite what I was expecting
Venkat Yekkirala
vyekkirala at trustedcs.com
Thu Mar 29 14:01:37 UTC 2007
[Joy, thanks for flagging me to this. I am not in the habit of tracking lspp
daily currently]
> -----Original Message-----
> From: Joy Latten [mailto:latten at austin.ibm.com]
> On Wed, 2007-03-28 at 17:35 -0400, Paul Moore wrote:
> > Well, I still did find one thing that was a bit odd,
> perhaps you can help
> > explain it to me. When I use the following SPD (where A
> and B are IPv4
> > addresses, with the other end having the same policy but a shift in
> > direction):
> >
> > spdadd A B[5300] tcp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P out ipsec ah/transport//require;
> > spdadd A[5300] B tcp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P out ipsec ah/transport//require;
> > spdadd B[5300] A tcp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P in ipsec ah/transport//require;
> > spdadd B A[5300] tcp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P in ipsec ah/transport//require;
> >
> > spdadd A B[5300] udp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P out ipsec ah/transport//require;
> > spdadd A[5300] B udp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P out ipsec ah/transport//require;
> > spdadd B[5300] A udp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P in ipsec ah/transport//require;
> > spdadd B A[5300] udp
> > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0"
> > -P in ipsec ah/transport//require;
> >
> > ... and connect from B to A running netcat using both TCP
> and UDP I find that
> > both the UDP and TCP connections use the same SA on the
> host generating the
> > traffic. Based on the SPD above I wouldn't think that to
> be the case ...
> >
>
> I see this too. I took a brief look at the code and could not readily
> find where we copy the selector info into the xfrm_state...
SPD stands for Security Policy Database and has just that; policy. Once
an SPD rule determines that a certain "flow/packet" needs to use an ipsec
SA with certain characteristics (ah/esp/ipcomp/combo, transport/tunnel,
etc.),
an SA or SAs with the given characteristics are used. So, it's perfectly
logical that the same SA would be used when the SA characteristics
among the different policy rules are the same. Varying any of these
characteristics and/or the label of the flow/packet should cause a different
SA to be used. Let me know if you find otherwise. It's also possible to
require
unique SAs. See setkey(8), etc.
More information about the redhat-lspp
mailing list