Bug 497355 - ip should allow creation of an IPsec SA with 'proto any' and specified sport and dport as selectors
ip should allow creation of an IPsec SA with 'proto any' and specified sport ...
Product: Fedora
Classification: Fedora
Component: iproute (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-04-23 10:50 EDT by Jiri Klimes
Modified: 2009-06-10 09:14 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-10 09:14:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
[PATCH] ip allows creation of shared IPsec SA for UDP and TCP (487 bytes, patch)
2009-04-23 10:54 EDT, Jiri Klimes
no flags Details | Diff

  None (edit)
Description Jiri Klimes 2009-04-23 10:50:53 EDT
Description of problem:

When creating an IPsec SA that sets 'proto any' (IPPROTO_IP) and specifies 'sport' and 'dport' at the same time in selector, the following error is issued:
"sport" and "dport" are invalid with proto=ip

However using IPPROTO_IP with ports is completely legal and necessary when one wants to share the SA on both TCP and UDP.
One of the applications requiring sharing SAs is 3GPP IMS AKA authentication.

Version-Release number of selected component (if applicable):
tried with iproute-2.6.27-2.fc10.i386

How reproducible:

Steps to Reproduce:
ip x s add src dst proto esp spi 0x3113 enc cipher_null "" auth md5 0xbde359723576fdea08e56cbe876e24ad mode transport sel proto any sport 1234 dport 4321

Actual results:
error message

Expected results:
ip command of iproute package should allow adding 'shared' IPsec SAs with specified ports and protocol set to 0 (IPPROTO_IP)

Note: XFRM allows this programatically.

Additional info:

I suggest patch in the attachment.
Comment 1 Jiri Klimes 2009-04-23 10:54:10 EDT
Created attachment 340947 [details]
[PATCH] ip allows creation of shared IPsec SA for UDP and TCP
Comment 2 Marcela Mašláňová 2009-04-24 03:46:57 EDT
looks good to me. I'll put it into rawhide and probably into next update to F-10.

Please send your patch to upstream to netdev (zavinac) vger.kernel (tecka) org. It will be great if they put it into iproute2s git and into the next version.
Comment 3 Jiri Klimes 2009-04-24 07:19:13 EDT
I've posted the patch to netdev mailing list for a review.

Note You need to log in before you can comment on or make changes to this bug.