Bug 497355

Summary: ip should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors
Product: [Fedora] Fedora Reporter: Jiri Klimes <klimes>
Component: iprouteAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 10CC: mmaslano, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-10 13:14:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
[PATCH] ip allows creation of shared IPsec SA for UDP and TCP none

Description Jiri Klimes 2009-04-23 14:50:53 UTC 
Description of problem:

When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies 'sport' and 'dport' at the same time in selector, the following error is issued:
"sport" and "dport" are invalid with proto=ip

However using IPPROTO_IP with ports is completely legal and necessary when one wants to share the SA on both TCP and UDP.
One of the applications requiring sharing SAs is 3GPP IMS AKA authentication.


Version-Release number of selected component (if applicable):
any
tried with iproute-2.6.27-2.fc10.i386

How reproducible:
Always.


Steps to Reproduce:
ip x s add src 10.0.0.10 dst 10.0.0.20 proto esp spi 0x3113 enc cipher_null "" auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport 1234 dport 4321

  
Actual results:
error message

Expected results:
ip command of iproute package should allow adding 'shared' IPsec SAs with specified ports and protocol set to 0 (IPPROTO_IP)

Note: XFRM allows this programatically.


Additional info:

I suggest patch in the attachment.
Comment 1 Jiri Klimes 2009-04-23 14:54:10 UTC 
Created attachment 340947 [details]
[PATCH] ip allows creation of shared IPsec SA for UDP and TCP
Comment 2 Marcela Mašláňová 2009-04-24 07:46:57 UTC 
Hello,
looks good to me. I'll put it into rawhide and probably into next update to F-10.

Please send your patch to upstream to netdev (zavinac) vger.kernel (tecka) org. It will be great if they put it into iproute2s git and into the next version.
Comment 3 Jiri Klimes 2009-04-24 11:19:13 UTC 
Thanks.
I've posted the patch to netdev mailing list for a review.