aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/networking
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2013-12-19 18:37:49 -0500
committerDavid S. Miller <davem@davemloft.net>2013-12-19 18:37:49 -0500
commit1669cb9855050fe9d2a13391846f9aceccf42559 (patch)
tree80a2f1229902e9db7fd1552ee770372b351f2036 /Documentation/networking
parentcb4eae3d525abbe408e7e0efd7841b5c3c13cd0f (diff)
parentb3c6efbc36e2c5ac820b1a800ac17cc3e040de0c (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2013-12-19 1) Use the user supplied policy index instead of a generated one if present. From Fan Du. 2) Make xfrm migration namespace aware. From Fan Du. 3) Make the xfrm state and policy locks namespace aware. From Fan Du. 4) Remove ancient sleeping when the SA is in acquire state, we now queue packets to the policy instead. This replaces the sleeping code. 5) Remove FLOWI_FLAG_CAN_SLEEP. This was used to notify xfrm about the posibility to sleep. The sleeping code is gone, so remove it. 6) Check user specified spi for IPComp. Thr spi for IPcomp is only 16 bit wide, so check for a valid value. From Fan Du. 7) Export verify_userspi_info to check for valid user supplied spi ranges with pfkey and netlink. From Fan Du. 8) RFC3173 states that if the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload, the IP datagram must be sent in the original non-compressed form. These packets are dropped by the inbound policy check because they are not transformed. Document the need to set 'level use' for IPcomp to receive such packets anyway. From Fan Du. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/networking')
-rw-r--r--Documentation/networking/ipsec.txt38
1 files changed, 38 insertions, 0 deletions
diff --git a/Documentation/networking/ipsec.txt b/Documentation/networking/ipsec.txt
new file mode 100644
index 000000000000..8dbc08b7e431
--- /dev/null
+++ b/Documentation/networking/ipsec.txt
@@ -0,0 +1,38 @@
1
2Here documents known IPsec corner cases which need to be keep in mind when
3deploy various IPsec configuration in real world production environment.
4
51. IPcomp: Small IP packet won't get compressed at sender, and failed on
6 policy check on receiver.
7
8Quote from RFC3173:
92.2. Non-Expansion Policy
10
11 If the total size of a compressed payload and the IPComp header, as
12 defined in section 3, is not smaller than the size of the original
13 payload, the IP datagram MUST be sent in the original non-compressed
14 form. To clarify: If an IP datagram is sent non-compressed, no
15
16 IPComp header is added to the datagram. This policy ensures saving
17 the decompression processing cycles and avoiding incurring IP
18 datagram fragmentation when the expanded datagram is larger than the
19 MTU.
20
21 Small IP datagrams are likely to expand as a result of compression.
22 Therefore, a numeric threshold should be applied before compression,
23 where IP datagrams of size smaller than the threshold are sent in the
24 original form without attempting compression. The numeric threshold
25 is implementation dependent.
26
27Current IPComp implementation is indeed by the book, while as in practice
28when sending non-compressed packet to the peer(whether or not packet len
29is smaller than the threshold or the compressed len is large than original
30packet len), the packet is dropped when checking the policy as this packet
31matches the selector but not coming from any XFRM layer, i.e., with no
32security path. Such naked packet will not eventually make it to upper layer.
33The result is much more wired to the user when ping peer with different
34payload length.
35
36One workaround is try to set "level use" for each policy if user observed
37above scenario. The consequence of doing so is small packet(uncompressed)
38will skip policy checking on receiver side.