Red Hat Bugzilla – Bug 441384
[iPv6DoD] fix RFC 4309 Using AES CCM Mode with IPsec ESP
Last modified: 2008-05-21 10:36:54 EDT
Description of problem:
In order to support RFC 4309 using AES CCM Mode with IPSec ESP,
we need to include following patch posted by Herbert a while back to
iproute to so we can configure and use CCM algorithm in IPsec as well as
This patch is needed for manual keying.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
"We also need to patch Openswan to do this too."
could you help verify this bug while you are working on IPSec?
------- Comment From firstname.lastname@example.org 2008-04-17 19:32 EDT-------
I downloaded http://people.redhat.com/nhorman/rpms/ibm.tbz2 which
contains some of the snap5 packages such as iproute-2.6.18-6.el5.xxx.rpm.
I tested this version of iproute and it doesn't work with CCM
regardless of architecture. I guess something is missing or incorrect
in patch. Will take a look.
Reproduce by trying:
ip xfrm state add src fc00:0:0:105::35 dst fc00:0:0:105::64 proto esp spi 0x201
mode transport aead "rfc4309(ccm(aes))" 0x0102037aeaca3f87d060a12f4a4487d5a5c335 96
Don't we also need some kernel patch?
I've tried iproute with patch and also upstream version of iproute with patch.
Both end up with the same message: RTNETLINK answers: Invalid argument.
we shouldn't need any additional kernel patches, This patch:
Was added to enable ccm support via bug 253051, which went in to kernel -67.
Its possible too that the module isn't autoloading for some reason. I would
suggest manually running:
prior to your testing, and confirming that the module has loaded. My guess is
that will fix your problem. In the interim, I'll ping joy and herbert to see if
they know any more about this.
------- Comment From email@example.com 2008-04-21 12:43 EDT-------
I recall having some problems because in the xfrm.h file,
I think instead of "XFRMA_ALG_AEAD," I needed "XFRMA_ALG_AEAD = 18".
The kernel's include/linux/xfrm.h defines it as the latter and
so I think iproute's xfrm.h needs to look like this too.
I tried this and it seems to fix the problem.
This change fixed iproute, although I didn't find anywhere mentioned
"XFRMA_ALG_AEAD = 18".
It was working for me with kernel-2.6.18-90.el5 and iproute-2.6.18-7.el5.
I just checked the kernel source and it should definitely be 18. When we update
iproute headers, we should always take the kernel values as authoritative. Thanks!
*** Bug 443423 has been marked as a duplicate of this bug. ***
------- Comment From firstname.lastname@example.org 2008-05-07 12:38 EDT-------
This tested successfully in snapshot 7.
Therefore it has successfully passed verification.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.