Bug 1425059

Summary: iproute is missing ipsec esn
Product: Red Hat Enterprise Linux 7 Reporter: Jan Tluka <jtluka>
Component: iprouteAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Jan Tluka <jtluka>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: aloughla, atragler, haliu, jaster, jiji, mleitner, sukulkar
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iproute-3.10.0-80.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:32:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Tluka 2017-02-20 13:15:37 UTC 
Description of problem:

RHEL7 kernel supports ESN for IPSec. Userspace's iproute does not provide this.

# ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b flag esn replay-window 64
Error: argument "esn" is wrong: unknown

Version-Release number of selected component (if applicable):
# rpm -qa iproute
iproute-3.10.0-74.el7.x86_64

How reproducible:
100% 

Steps to Reproduce:

# ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b flag esn replay-window 64

Actual results:
not supported 

Expected results:
supported

Additional info:
Kernel bug: https://bugzilla.redhat.com/show_bug.cgi?id=1210745
Comment 2 Hangbin Liu 2017-03-02 08:59:18 UTC 
commit 0151b56d102961c1418aea3ee53428d4ca2669c9
Author: dingzhi <zhi.ding>
Date:   Mon Oct 20 11:23:04 2014 +0200

    xfrm: add support of ESN and anti-replay window

    This patch allows to configure ESN and anti-replay window.
Comment 4 Jan Tluka 2017-04-25 13:21:07 UTC 
Verified on iproute-3.10.0-82.el7

# rpm -qa iproute
iproute-3.10.0-74.el7.x86_64

# ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b flag esn replay-window 64
Error: argument "esn" is wrong: unknown

# rpm -Uvh iproute-3.10.0-82.el7.x86_64.rpm

# ip xfrm state add src 192.168.10.1 dst 192.168.10.2 proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b flag esn replay-window 64

# ip -s xfrm state 
src 192.168.10.1 dst 192.168.10.2
	proto esp spi 0x00000001(1) reqid 0(0x00000000) mode transport
	replay-window 0 seq 0x00000000 flag esn (0x10000000)
	enc cbc(aes) 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (128 bits)
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
	 replay_window 64, bitmap-length 2
	 00000000 00000000 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2017-04-25 15:19:06 use -
	stats:
	  replay-window 0 replay 0 failed 0
Comment 5 errata-xmlrpc 2017-08-01 21:32:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2171