Question about tunnels, IPsec and redirect

bill4carson bill4carson at gmail.com
Sat Sep 28 22:23:37 EDT 2013 

Hi, Kevin

On 2013年09月26日 15:31, Kevin Wilson wrote:
> Hi,
> Of course.
> But the (unanswered) question is:
> when sp is non NULL and we are working with IPsec, why shoudn't we
> send redirect in such a case ?

Apologize for replying late.

I think you probably missing what "ICMP redirect" does, if so please
take a look at this link:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

My understanding is:
If host is protected by gateway A using IPsec, even if a better routing for host is
gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect),
as IPsec policy is on gateway A only, not necessarily on gateway B.

I think this is scenario that the patch is try to describe.



> rgs
> Kevin
> 
> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson at gmail.com>  wrote:
>> Hi Kevin
>>
>>
>> On 2013年09月25日 02:52, Kevin Wilson wrote:
>>>
>>> Hi,
>>> I am looking at this patch:
>>> http://lists.openwall.net/netdev/2007/08/24/29
>>> and I cannot understand it. Can somebody please try
>>> to explain ?
>>> more specifically:
>>> Can somebody please give an example of some setup of IPsec tunnel
>>> where the ip_rt_send_redirect() method should not be called when the
>>> skb->sp is not NULL ?
>>
>>
>> +       if (rt->rt_flags&RTCF_DOREDIRECT&&  !opt->srr&&  !skb->sp)
>>                                                            ^^^^^^^
>> If IPsec policy is not enabled for a specific flow that this skb matches,
>> skb->sp is NULL.
>>
>>
>>
>>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>>> redirect in such a case while forwarding a packet; note I am talking
>>> about  IPv4)
>>>
>>> Note that the check for skb->sp was changed in recent kernels to
>>> skb_sec_path(skb), but it is essentially the same.
>>>
>>>
>>> Regards,
>>> Kevin
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>
>> --
>> 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。
>>
>> --bill
> 

-- 
八百里秦川尘土飞扬,三千万老陕齐吼秦腔。

--bill

More information about the Kernelnewbies mailing list