IPSec: make SPDUPDATE atomic
Needs ReviewPublic
Actions

Authored by emeric.poupon_stormshield.eu on May 24 2018, 3:22 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Feb 16, 12:43 PM

	Unknown Object (File)
	Sun, Feb 8, 11:02 AM

	Unknown Object (File)
	Sun, Feb 8, 9:08 AM

	Unknown Object (File)
	Dec 10 2025, 8:50 AM

	Unknown Object (File)
	Nov 22 2025, 8:24 PM

	Unknown Object (File)
	Oct 8 2025, 1:06 AM

	Unknown Object (File)
	Sep 27 2025, 1:22 AM

	Unknown Object (File)
	Jun 30 2025, 1:51 PM

View All 54 Files

Subscribers

imp

Details

Reviewers

Group Reviewers

secteam

Summary

SPDUPDATE is implemented using a del/add mechanism.
Unfortunately it is not atomic: the SP tree lock is released after the SP is removed and taken again before the SP is inserted.
Depending on the configuration, some packets may leak (e.g. using the default route)

Test Plan

In a network-to-network IPSec configuration, I set up an aggressive ping between two hosts.
tcpdump on the public interface shows ping packets from time to time (during the SPDUPDATE events triggered by the IKE daemon).

After the patch, there is no more packet leak.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emeric.poupon_stormshield.eu created this revision.May 24 2018, 3:22 PM

Herald added a subscriber: imp. · View Herald TranscriptMay 24 2018, 3:22 PM

I have two questions:

is it OK to leave the old SP in case of error? I guess it is but in the previous implementation the SP is removed if it cannot be updated, and I think it is really questionable.
is it OK to hold a mutex during a printf? I guess not but there are already some examples doing that in this file

Revision Contents
Changeset List

Path

Size

sys/

netipsec/

key.c

58 lines

Diff 42930

View Options

IPSec: make SPDUPDATE atomicNeeds ReviewPublicActions