Bug 676637

Summary: racoon daemon uses an incorrect SA attribute number for security contexts
Product: Red Hat Enterprise Linux 5 Reporter: Joy Latten <latten>
Component: ipsec-toolsAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: avagarwa, roysjosh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-05 15:10:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joy Latten 2011-02-10 14:58:04 UTC 
Description of problem:
For RHEL 5 LSPP, racoon was modified to leverage ipsec to do MAC networking.
(The MAC being SELinux) racoon was modified to include security contexts
in its SA proposal/negotiation via an SA attribute. Unfortunately, its using
an SA attribute number not assigned by IANA and not from the private-use range.
It is using the number 10, which was later assigned to ECN SA attribute.
racoon needs to be modified such that the SA attribute number for 
security contexts are from the private use range, 32001-32767.

This affects interoperability on the internet.

Version-Release number of selected component (if applicable):
RHEL 5

How reproducible:
Reproducible when code is compiled to use security contexts

Steps to Reproduce:
1. compile racoon to use security contexts
2. configure ipsec to use security contexts
  

Solution:

diff -urpN ipsec-tools-0.6.5.orig/src/racoon/ipsec_doi.h ipsec-tools-0.6.5/src/racoon/ipsec_doi.h
--- ipsec-tools-0.6.5.orig/src/racoon/ipsec_doi.h       2011-02-09 13:23:31.000000000 -0600
+++ ipsec-tools-0.6.5/src/racoon/ipsec_doi.h    2011-02-09 13:24:01.000000000 -0600
@@ -134,7 +134,7 @@
 #define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */

 #ifdef HAVE_SECCTX
-#define IPSECDOI_ATTR_SECCTX                10 /* V */
+#define IPSECDOI_ATTR_SECCTX                32001 /* V */
 #endif

 /* 4.6.1 Security Association Payload */
Comment 1 Tomas Mraz 2012-03-05 15:10:48 UTC 
Unfortunately we cannot change this due to existing deployments.