Red Hat Bugzilla – Bug 497355
ip should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors
Last modified: 2009-06-10 09:14:57 EDT
Description of problem: When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies 'sport' and 'dport' at the same time in selector, the following error is issued: "sport" and "dport" are invalid with proto=ip However using IPPROTO_IP with ports is completely legal and necessary when one wants to share the SA on both TCP and UDP. One of the applications requiring sharing SAs is 3GPP IMS AKA authentication. Version-Release number of selected component (if applicable): any tried with iproute-2.6.27-2.fc10.i386 How reproducible: Always. Steps to Reproduce: ip x s add src 10.0.0.10 dst 10.0.0.20 proto esp spi 0x3113 enc cipher_null "" auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport 1234 dport 4321 Actual results: error message Expected results: ip command of iproute package should allow adding 'shared' IPsec SAs with specified ports and protocol set to 0 (IPPROTO_IP) Note: XFRM allows this programatically. Additional info: I suggest patch in the attachment.
Created attachment 340947 [details] [PATCH] ip allows creation of shared IPsec SA for UDP and TCP
Hello, looks good to me. I'll put it into rawhide and probably into next update to F-10. Please send your patch to upstream to netdev (zavinac) vger.kernel (tecka) org. It will be great if they put it into iproute2s git and into the next version.
Thanks. I've posted the patch to netdev mailing list for a review.