Bug 441384 - [iPv6DoD] fix RFC 4309 Using AES CCM Mode with IPsec ESP
[iPv6DoD] fix RFC 4309 Using AES CCM Mode with IPsec ESP
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iproute (Show other bugs)
5.2
All Linux
high Severity high
: rc
: ---
Assigned To: Marcela Mašláňová
Brock Organ
:
: 443423 (view as bug list)
Depends On: 443410
Blocks: 253764 443423
  Show dependency treegraph
 
Reported: 2008-04-07 16:01 EDT by Linda Wang
Modified: 2008-05-21 10:36 EDT (History)
7 users (show)

See Also:
Fixed In Version: RHEA-2008-0451
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:36:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Linda Wang 2008-04-07 16:01:05 EDT
Description of problem:

In order to support RFC 4309 using AES CCM Mode with IPSec ESP,
we need to include following patch posted by Herbert a while back to
iproute to so we can configure and use CCM algorithm in IPsec as well as
test it.

http://marc.info/?l=linux-crypto-vger&m=120365914102073&w=2

This patch is needed for manual keying. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Linda Wang 2008-04-07 16:02:07 EDT
"We also need to patch Openswan to do this too."
Comment 8 Lawrence Lim 2008-04-08 21:11:39 EDT
zwu, 
could you help verify this bug while you are working on IPSec?

Comment 10 IBM Bug Proxy 2008-04-17 19:40:32 EDT
------- Comment From latten@us.ibm.com 2008-04-17 19:32 EDT-------
I downloaded http://people.redhat.com/nhorman/rpms/ibm.tbz2 which
contains some of the snap5 packages such as iproute-2.6.18-6.el5.xxx.rpm.

I tested this version of iproute and it doesn't work with CCM
regardless of architecture. I guess something is missing or incorrect
in patch. Will take a look.

Reproduce by trying:
ip xfrm state add src fc00:0:0:105::35 dst fc00:0:0:105::64 proto esp spi 0x201
mode transport aead "rfc4309(ccm(aes))"  0x0102037aeaca3f87d060a12f4a4487d5a5c335 96
Comment 12 Marcela Mašláňová 2008-04-21 08:32:13 EDT
Don't we also need some kernel patch? 
I've tried iproute with patch and also upstream version of iproute with patch.
Both end up with the same message: RTNETLINK answers: Invalid argument.
Comment 13 Neil Horman 2008-04-21 11:22:07 EDT
we shouldn't need any additional kernel patches, This patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=4a49b499dfa0c9e42be6d6fdd771f3434c776278
Was added to enable ccm support via bug 253051, which went in to kernel -67. 
Its possible too that the module isn't autoloading for some reason.  I would
suggest manually running:
modprobe ccm
prior to your testing, and confirming that the module has loaded.  My guess is
that will fix your problem.  In the interim, I'll ping joy and herbert to see if
they know any more about this.
Comment 14 IBM Bug Proxy 2008-04-21 12:48:44 EDT
------- Comment From latten@us.ibm.com 2008-04-21 12:43 EDT-------
I recall having some problems because in the xfrm.h file,
I think instead of "XFRMA_ALG_AEAD," I needed "XFRMA_ALG_AEAD = 18".
The kernel's include/linux/xfrm.h defines it as the latter and
so I think iproute's xfrm.h needs to look like this too.

I tried this and it seems to fix the problem.
Comment 16 Marcela Mašláňová 2008-04-22 03:26:15 EDT
This change fixed iproute, although I didn't find anywhere mentioned
"XFRMA_ALG_AEAD = 18".

It was working for me with kernel-2.6.18-90.el5 and iproute-2.6.18-7.el5.
Comment 17 Herbert Xu 2008-04-22 03:34:53 EDT
I just checked the kernel source and it should definitely be 18.  When we update
iproute headers, we should always take the kernel values as authoritative.  Thanks!
Comment 18 Linda Wang 2008-04-22 10:21:16 EDT
*** Bug 443423 has been marked as a duplicate of this bug. ***
Comment 20 IBM Bug Proxy 2008-05-07 12:40:40 EDT
------- Comment From latten@us.ibm.com 2008-05-07 12:38 EDT-------
This tested successfully in snapshot 7.
Therefore it has successfully passed verification.
Comment 22 errata-xmlrpc 2008-05-21 10:36:54 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0451.html

Note You need to log in before you can comment on or make changes to this bug.