Question about tunnels, IPsec and redirect

bill4carson bill4carson at gmail.com
Sat Sep 28 22:36:18 EDT 2013 


On 2013年09月29日 10:23, bill4carson wrote:
> Hi, Kevin
> 
> On 2013年09月26日 15:31, Kevin Wilson wrote:
>> Hi,
>> Of course.
>> But the (unanswered) question is:
>> when sp is non NULL and we are working with IPsec, why shoudn't we
>> send redirect in such a case ?
> 
> Apologize for replying late.
> 
> I think you probably missing what "ICMP redirect" does, if so please
> take a look at this link:
> 
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
> 
> My understanding is:
> If host is protected by gateway A using IPsec, even if a better routing for host is
> gateway B, gateway A cannot tell host to using gateway B as next hop(sending redirect),
> as IPsec policy is on gateway A only, not necessarily on gateway B.
> 
> I think this is scenario that the patch is try to describe.

There is a subtle difference with what I described above, but most the same.

Quotes from original commit log:

IPv4 IPsec tunnel gateway incorrectly sends redirect to
sender if it is onlink host when network device the IPsec tunnelled
packet is arrived is the same as the one the decapsulated packet
is sent.

The author maybe said this scenario:


     Gateway B
    /       \
   /         \
  /           \
Host ---->  Gateway A

Gateway A protects traffic from host destined to Gateway B, while as finally
Gateway A found out host better next hop should be Gateway B. So we cannot
send redirect here to Host, otherwise the traffic will be naked for Gateway B.



> 
> 
>> rgs
>> Kevin
>>
>> On Thu, Sep 26, 2013 at 10:02 AM, bill4carson<bill4carson at gmail.com>   wrote:
>>> Hi Kevin
>>>
>>>
>>> On 2013年09月25日 02:52, Kevin Wilson wrote:
>>>>
>>>> Hi,
>>>> I am looking at this patch:
>>>> http://lists.openwall.net/netdev/2007/08/24/29
>>>> and I cannot understand it. Can somebody please try
>>>> to explain ?
>>>> more specifically:
>>>> Can somebody please give an example of some setup of IPsec tunnel
>>>> where the ip_rt_send_redirect() method should not be called when the
>>>> skb->sp is not NULL ?
>>>
>>>
>>> +       if (rt->rt_flags&RTCF_DOREDIRECT&&   !opt->srr&&   !skb->sp)
>>>                                                             ^^^^^^^
>>> If IPsec policy is not enabled for a specific flow that this skb matches,
>>> skb->sp is NULL.
>>>
>>>
>>>
>>>> (in other words, why if the SKB is and IPsec SKB, we should not send a
>>>> redirect in such a case while forwarding a packet; note I am talking
>>>> about  IPv4)
>>>>
>>>> Note that the check for skb->sp was changed in recent kernels to
>>>> skb_sec_path(skb), but it is essentially the same.
>>>>
>>>>
>>>> Regards,
>>>> Kevin
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>
>>> --
>>> 八百里秦川尘土飞扬,三千万老陕齐吼秦腔。
>>>
>>> --bill
>>
> 

-- 
八百里秦川尘土飞扬,三千万老陕齐吼秦腔。

--bill

More information about the Kernelnewbies mailing list