Page MenuHomeFreeBSD
Differential D2304

Fix handling scoped IPv6 addresses in IPSec code
ClosedPublic
Actions

Authored by ae on Apr 16 2015, 5:44 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sep 27 2024, 9:08 AM
Unknown Object (File)
Sep 25 2024, 7:44 PM
Unknown Object (File)
Sep 25 2024, 7:44 PM
Unknown Object (File)
Sep 25 2024, 7:44 PM
Unknown Object (File)
Sep 25 2024, 7:22 PM
Unknown Object (File)
Sep 23 2024, 11:07 PM
Unknown Object (File)
Sep 22 2024, 11:46 PM
Unknown Object (File)
Sep 22 2024, 9:04 PM
View All 93 Files
Subscribers
None

Details

Reviewers
gnn
Group Reviewers
network
Commits
rS281693: Fix handling of scoped IPv6 addresses in IPSec code.
Summary
  • in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope;
  • teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the V_in6_ifaddrhead are stored in kernel-internal form, embed scope zone id from SA into the address before calling in6_localip().
  • in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA. We keep addresses in the SADB without embedded scope zone id.
Test Plan

I used these two configuration for tests:
Host1:

#!/sbin/setkey -f

flush;
spdflush;

# Host configuration:
#  ifconfig wlan0 inet 10.9.8.3/24 
#  ifconfig wlan0 inet 10.9.9.3/24 alias
#  ifconfig wlan0 inet 10.9.10.3/24 alias
#  ifconfig wlan0 inet 10.9.11.3/24 alias
#  ifconfig wlan0 inet 10.9.12.3/24 alias
#  ifconfig wlan0 inet 10.9.13.3/24 alias
#  ifconfig wlan0 inet 10.9.14.3/24 alias
#  ifconfig wlan0 inet6 fe80::3/64
#  ifconfig wlan0 inet6 fe80::1:3/64
#  ifconfig wlan0 inet6 fe80::11:3/64
#  ifconfig wlan0 inet6 fc00::3/64
#  ifconfig wlan0 inet6 fc00:10::3/64
#  ifconfig wlan0 inet6 fc00:11::3/64
#  ifconfig wlan0 inet6 fc00:12::3/64
#  ifconfig wlan0 inet6 fc00:13::3/64
#  ifconfig gif1 create inet 192.168.0.3/24 192.168.0.11 tunnel 10.9.9.3 10.9.9.11 up
#  ifconfig gif1 inet6 fc00:1::3/64
#  ifconfig gif1 inet6 fe80::1:3/64
#  ifconfig gif2 create inet 172.16.0.3/24 172.16.0.11
#  ifconfig gif2 inet6 tunnel fe80::1:3%wlan0 fe80::1:11%wlan0
#  ifconfig gif2 inet6 fc00:2::3/64
#  ifconfig gif3 create inet 192.168.1.3/24 192.168.1.11 tunnel 10.9.14.3 10.9.14.11 up
#  ifconfig gif3 inet6 fc00:14::3/64
#

spdadd -6 ::/0 ::/0 icmp6 135,0 -P out none;
spdadd -6 ::/0 ::/0 icmp6 136,0 -P out none;

# Test 1: IPv4 + transport mode
# 10.9.8.3 <- transport mode IPSec -> 10.9.8.11
#
# ping -c1 -S 10.9.8.3 10.9.8.11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d55: IP 10.9.8.3 > 10.9.8.11: ICMP echo request, id 62307, seq 0, length 64
# SPI 0x00003d55: IP 10.9.8.3 > 10.9.8.11: ICMP echo request, id 62307, seq 0, length 64
# SPI 0x00005fb5: IP 10.9.8.11 > 10.9.8.3: ICMP echo reply, id 62307, seq 0, length 64
#
# tcpdump -ni wlan0 esp
# IP 10.9.8.3 > 10.9.8.11: ESP(spi=0x00003d55,seq=0xd3), length 104
# IP 10.9.8.11 > 10.9.8.3: ESP(spi=0x00005fb5,seq=0x207), length 104

spdadd 10.9.8.3 10.9.8.11 any -P out ipsec esp/transport//default;
spdadd 10.9.8.11 10.9.8.3 any -P in ipsec esp/transport//default;
add 10.9.8.3 10.9.8.11 esp 15701 -m transport -E rijndael-cbc "1111111111111111" ;
add 10.9.8.11 10.9.8.3 esp 24501 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 2: IPv4 + gif + transport mode
# 192.168.0.3 <- transport mode IPSec -> 192.168.0.11
#
# ping -c1 -S 192.168.0.3 192.168.0.11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d56: IP 192.168.0.3 > 192.168.0.11: ICMP echo request, id 63331, seq 0, length 64
# SPI 0x00003d56: IP 192.168.0.3 > 192.168.0.11: ICMP echo request, id 63331, seq 0, length 64
# SPI 0x00005fb6: IP 192.168.0.11 > 192.168.0.3: ICMP echo reply, id 63331, seq 0, length 64
#
# tcpdump -ni wlan0
# IP 10.9.9.3 > 10.9.9.11: IP 192.168.0.3 > 192.168.0.11: ESP(spi=0x00003d56,seq=0x6), length 104 (ipip-proto-4)
# IP 10.9.9.11 > 10.9.9.3: IP 192.168.0.11 > 192.168.0.3: ESP(spi=0x00005fb6,seq=0x7), length 104 (ipip-proto-4)

spdadd 192.168.0.3 192.168.0.11 any -P out ipsec esp/transport//default;
spdadd 192.168.0.11 192.168.0.3 any -P in ipsec esp/transport//default;
add 192.168.0.3 192.168.0.11 esp 15702 -m transport -E rijndael-cbc "1111111111111111" ;
add 192.168.0.11 192.168.0.3 esp 24502 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 3: IPv6 + transport mode
# fc00::3 <- transport mode IPSec -> fc00::11
#
# ping6 -c1 fc00::11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d57: IP6 fc00::3 > fc00::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d57: IP6 fc00::3 > fc00::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fb7: IP6 fc00::11 > fc00::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0 esp
# IP6 fc00::3 > fc00::11: ESP(spi=0x00003d57,seq=0x1), length 56
# IP6 fc00::11 > fc00::3: ESP(spi=0x00005fb7,seq=0x2), length 56

spdadd -6 fc00::3 fc00::11 any -P out ipsec esp/transport//default;
spdadd -6 fc00::11 fc00::3 any -P in ipsec esp/transport//default;
add -6 fc00::3 fc00::11 esp 15703 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fc00::11 fc00::3 esp 24503 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 4: IPv6 LLA + transport mode
# fe80::3%wlan0 <- transport mode IPSec -> fe80::11%wlan0
#
# ping6 -c1 fe80::11%wlan0
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d58: IP6 fe80:5::3 > fe80:5::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d58: IP6 fe80:5::3 > fe80:5::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fb8: IP6 fe80:5::11 > fe80:5::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0 esp
# IP6 fe80::3 > fe80::11: ESP(spi=0x00003d58,seq=0x2), length 56
# IP6 fe80::11 > fe80::3: ESP(spi=0x00005fb8,seq=0x1b), length 56

spdadd -6 fe80::3%wlan0 fe80::11%wlan0 any -P out ipsec esp/transport//default;
spdadd -6 fe80::11%wlan0 fe80::3%wlan0 any -P in ipsec esp/transport//default;
add -6 fe80::3%wlan0 fe80::11%wlan0 esp 15704 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fe80::11%wlan0 fe80::3%wlan0 esp 24504 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 5: IPv6 LLA + gif + transport mode
# fe80::1:3%gif1 <- transport mode IPSec -> fe80::1:11%gif1
#
# ping6 -c1 fe80::1:11%gif1
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d59: IP6 fe80:7::1:3 > fe80:7::1:11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d59: IP6 fe80:7::1:3 > fe80:7::1:11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fb9: IP6 fe80:7::1:11 > fe80:7::1:3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0
# IP 10.9.9.3 > 10.9.9.11: IP6 fe80::1:3 > fe80::1:11: ESP(spi=0x00003d59,seq=0x3), length 56
# IP 10.9.9.11 > 10.9.9.3: IP6 fe80::1:11 > fe80::1:3: ESP(spi=0x00005fb9,seq=0x4), length 56

spdadd -6 fe80::1:3%gif1 fe80::1:11%gif1 any -P out ipsec esp/transport//default;
spdadd -6 fe80::1:11%gif1 fe80::1:3%gif1 any -P in ipsec esp/transport//default;
add -6 fe80::1:3%gif1 fe80::1:11%gif1 esp 15705 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fe80::1:11%gif1 fe80::1:3%gif1 esp 24505 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 6: IPv6 + gif + transport mode
# fc00:1::3 <- transport mode IPSec -> fc00:1::11
#
# ping6 -c1 fc00:1::11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d5a: IP6 fc00:1::3 > fc00:1::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d5a: IP6 fc00:1::3 > fc00:1::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fba: IP6 fc00:1::11 > fc00:1::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0
# IP 10.9.9.3 > 10.9.9.11: IP6 fc00:1::3 > fc00:1::11: ESP(spi=0x00003d5a,seq=0x1), length 56
# IP 10.9.9.11 > 10.9.9.3: IP6 fc00:1::11 > fc00:1::3: ESP(spi=0x00005fba,seq=0x2), length 56

spdadd -6 fc00:1::3 fc00:1::11 any -P out ipsec esp/transport//default;
spdadd -6 fc00:1::11 fc00:1::3 any -P in ipsec esp/transport//default;
add -6 fc00:1::3 fc00:1::11 esp 15706 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fc00:1::11 fc00:1::3 esp 24506 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 7: IPv4 tunnel mode 10.9.11.3 <-> 10.9.11.11
# 10.9.10.3 <- tunnel mode IPSec -> 10.9.10.11
# fc00:10::3 <-                  -> fc00:10::11
#
# ping -c1 -S 10.9.10.3 10.9.10.11
# ping6 -c1 fc00:10::11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d5b: IP 10.9.10.3 > 10.9.10.11: ICMP echo request, id 7780, seq 0, length 64
# SPI 0x00003d5b: IP 10.9.11.3 > 10.9.11.11: IP 10.9.10.3 > 10.9.10.11: ICMP echo request, id 7780, seq 0, length 64 (ipip-proto-4)
# SPI 0x00005fbb: IP 10.9.11.11 > 10.9.11.3: IP 10.9.10.11 > 10.9.10.3: ICMP echo reply, id 7780, seq 0, length 64 (ipip-proto-4)
# SPI 0x00003d5b: IP6 fc00:10::3 > fc00:10::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d5b: IP 10.9.11.3 > 10.9.11.11: IP6 fc00:10::3 > fc00:10::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fbb: IP 10.9.11.11 > 10.9.11.3: IP6 fc00:10::11 > fc00:10::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0 esp
# IP 10.9.11.3 > 10.9.11.11: ESP(spi=0x00003d5b,seq=0x1), length 120
# IP 10.9.11.11 > 10.9.11.3: ESP(spi=0x00005fbb,seq=0x3), length 120
# IP 10.9.11.3 > 10.9.11.11: ESP(spi=0x00003d5b,seq=0x2), length 88
# IP 10.9.11.11 > 10.9.11.3: ESP(spi=0x00005fbb,seq=0x4), length 88

spdadd 10.9.10.3 10.9.10.11 any -P out ipsec esp/tunnel/10.9.11.3-10.9.11.11/default;
spdadd 10.9.10.11 10.9.10.3 any -P in ipsec esp/tunnel/10.9.11.11-10.9.11.3/default;
spdadd -6 fc00:10::3 fc00:10::11 any -P out ipsec esp/tunnel/10.9.11.3-10.9.11.11/default;
spdadd -6 fc00:10::11 fc00:10::3 any -P in ipsec esp/tunnel/10.9.11.11-10.9.11.3/default;
add 10.9.11.3 10.9.11.11 esp 15707 -m tunnel -E rijndael-cbc "1111111111111111" ;
add 10.9.11.11 10.9.11.3 esp 24507 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 8: IPv6 tunnel mode fc00:11::3 <-> fc00:11::11
# 10.9.12.3 <- tunnel mode IPSec -> 10.9.12.11
# fc00:12::3 <-                  -> fc00:12::11
#
# ping -c1 -S 10.9.12.3 10.9.12.11
# ping6 -c1 fc00:12::11
# tcpdump -ni enc0
# Expected result:
# SPI 0x00003d5c: IP 10.9.12.3 > 10.9.12.11: ICMP echo request, id 8548, seq 0, length 64
# SPI 0x00003d5c: IP6 fc00:11::3 > fc00:11::11: IP 10.9.12.3 > 10.9.12.11: ICMP echo request, id 8548, seq 0, length 64
# SPI 0x00005fbc: IP6 fc00:11::11 > fc00:11::3: IP 10.9.12.11 > 10.9.12.3: ICMP echo reply, id 8548, seq 0, length 64
# SPI 0x00003d5c: IP6 fc00:12::3 > fc00:12::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d5c: IP6 fc00:11::3 > fc00:11::11: IP6 fc00:12::3 > fc00:12::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fbc: IP6 fc00:11::11 > fc00:11::3: IP6 fc00:12::11 > fc00:12::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0 esp
# IP6 fc00:11::3 > fc00:11::11: ESP(spi=0x00003d5c,seq=0x1), length 120
# IP6 fc00:11::11 > fc00:11::3: ESP(spi=0x00005fbc,seq=0x3), length 120
# IP6 fc00:11::3 > fc00:11::11: ESP(spi=0x00003d5c,seq=0x2), length 88
# IP6 fc00:11::11 > fc00:11::3: ESP(spi=0x00005fbc,seq=0x4), length 88

spdadd 10.9.12.3 10.9.12.11 any -P out ipsec esp/tunnel/fc00:11::3-fc00:11::11/default;
spdadd 10.9.12.11 10.9.12.3 any -P in ipsec esp/tunnel/fc00:11::11-fc00:11::3/default;
spdadd -6 fc00:12::3 fc00:12::11 any -P out ipsec esp/tunnel/fc00:11::3-fc00:11::11/default;
spdadd -6 fc00:12::11 fc00:12::3 any -P in ipsec esp/tunnel/fc00:11::11-fc00:11::3/default;
add -6 fc00:11::3 fc00:11::11 esp 15708 -m tunnel -E rijndael-cbc "1111111111111111" ;
add -6 fc00:11::11 fc00:11::3 esp 24508 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 9: IPv6 tunnel mode + LLA fe80::11:3 <-> fe80::11:11
# 10.9.13.3 <- tunnel mode IPSec -> 10.9.13.11
# fc00:13::3 <-                  -> fc00:13::11
#
# ping -c1 -S 10.9.13.3 10.9.13.11
# ping6 -c1 fc00:13::11
# tcpdump -ni enc0
# SPI 0x00003d5d: IP 10.9.13.3 > 10.9.13.11: ICMP echo request, id 12388, seq 0, length 64
# SPI 0x00003d5d: IP6 fe80:5::11:3 > fe80:5::11:11: IP 10.9.13.3 > 10.9.13.11: ICMP echo request, id 12388, seq 0, length 64
# SPI 0x00005fbd: IP6 fe80:5::11:11 > fe80:5::11:3: IP 10.9.13.11 > 10.9.13.3: ICMP echo reply, id 12388, seq 0, length 64
# SPI 0x00003d5d: IP6 fc00:13::3 > fc00:13::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d5d: IP6 fe80:5::11:3 > fe80:5::11:11: IP6 fc00:13::3 > fc00:13::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fbd: IP6 fe80:5::11:11 > fe80:5::11:3: IP6 fc00:13::11 > fc00:13::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0 esp
# IP6 fe80::11:3 > fe80::11:11: ESP(spi=0x00003d5d,seq=0x1), length 120
# IP6 fe80::11:11 > fe80::11:3: ESP(spi=0x00005fbd,seq=0x3), length 120
# IP6 fe80::11:3 > fe80::11:11: ESP(spi=0x00003d5d,seq=0x2), length 88
# IP6 fe80::11:11 > fe80::11:3: ESP(spi=0x00005fbd,seq=0x4), length 88

spdadd 10.9.13.3 10.9.13.11 any -P out ipsec esp/tunnel/fe80::11:3%wlan0-fe80::11:11%wlan0/default;
spdadd 10.9.13.11 10.9.13.3 any -P in ipsec esp/tunnel/fe80::11:11%wlan0-fe80::11:3%wlan0/default;
spdadd -6 fc00:13::3 fc00:13::11 any -P out ipsec esp/tunnel/fe80::11:3%wlan0-fe80::11:11%wlan0/default;
spdadd -6 fc00:13::11 fc00:13::3 any -P in ipsec esp/tunnel/fe80::11:11%wlan0-fe80::11:3%wlan0/default;
add -6 fe80::11:3%wlan0 fe80::11:11%wlan0 esp 15709 -m tunnel -E rijndael-cbc "1111111111111111" ;
add -6 fe80::11:11%wlan0 fe80::11:3%wlan0 esp 24509 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 10: IPv4 tunnel mode + gif 10.9.14.3 <-> 10.9.14.11
# 10.9.14.3 <- tunnel mode IPSec -> 10.9.14.11 
# 192.168.1.3 <-                 -> 192.168.1.11
# fc00:14::3 <-                  -> fc00:14::11
#
# ping -c1 -S 10.9.14.3 10.9.14.11
# ping -c1 -S 192.168.1.3 192.168.1.11
# ping6 -c1 fc00:14::11
# tcpdump -ni enc0
# SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: ICMP echo request, id 13668, seq 0, length 64
# SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP 10.9.14.3 > 10.9.14.11: ICMP echo request, id 13668, seq 0, length 64 (ipip-proto-4)
# SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP 10.9.14.11 > 10.9.14.3: ICMP echo reply, id 13668, seq 0, length 64 (ipip-proto-4)
# SPI 0x00003d5e: IP 192.168.1.3 > 192.168.1.11: ICMP echo request, id 14692, seq 0, length 64
# SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP 192.168.1.3 > 192.168.1.11: ICMP echo request, id 14692, seq 0, length 64 (ipip-proto-4)
# SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP 192.168.1.11 > 192.168.1.3: ICMP echo reply, id 14692, seq 0, length 64 (ipip-proto-4)
# SPI 0x00003d5e: IP6 fc00:14::3 > fc00:14::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00003d5e: IP 10.9.14.3 > 10.9.14.11: IP6 fc00:14::3 > fc00:14::11: ICMP6, echo request, seq 0, length 16
# SPI 0x00005fbe: IP 10.9.14.11 > 10.9.14.3: IP6 fc00:14::11 > fc00:14::3: ICMP6, echo reply, seq 0, length 16
#
# tcpdump -ni wlan0
# IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x1), length 120
# IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x4), length 120
# IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x2), length 120
# IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x5), length 120
# IP 10.9.14.3 > 10.9.14.11: ESP(spi=0x00003d5e,seq=0x3), length 88
# IP 10.9.14.11 > 10.9.14.3: ESP(spi=0x00005fbe,seq=0x6), length 88

spdadd 10.9.14.3 10.9.14.11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd 10.9.14.11 10.9.14.3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
spdadd 192.168.1.3 192.168.1.11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd 192.168.1.11 192.168.1.3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
spdadd -6 fc00:14::3 fc00:14::11 any -P out ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd -6 fc00:14::11 fc00:14::3 any -P in ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
add 10.9.14.3 10.9.14.11 esp 15710 -m tunnel -E rijndael-cbc "1111111111111111" ;
add 10.9.14.11 10.9.14.3 esp 24510 -m tunnel -E rijndael-cbc "1111111111111111" ;

Host2:

#!/sbin/setkey -f

flush;
spdflush;

# Host configuration:
#  ifconfig em0 inet 10.9.8.11/24 
#  ifconfig em0 inet 10.9.9.11 alias
#  ifconfig em0 inet 10.9.10.11 alias
#  ifconfig em0 inet 10.9.11.11 alias
#  ifconfig em0 inet 10.9.12.11 alias
#  ifconfig em0 inet 10.9.13.11 alias
#  ifconfig em0 inet 10.9.14.11 alias
#  ifconfig em0 inet6 fe80::11/64
#  ifconfig em0 inet6 fe80::1:11/64
#  ifconfig em0 inet6 fe80::11:11/64
#  ifconfig em0 inet6 fc00::11/64
#  ifconfig em0 inet6 fc00:10::11/64
#  ifconfig em0 inet6 fc00:11::11/64
#  ifconfig em0 inet6 fc00:12::11/64
#  ifconfig em0 inet6 fc00:13::11/64
#  ifconfig gif1 create inet 192.168.0.11/24 192.168.0.3 tunnel 10.9.9.11 10.9.9.3 up
#  ifconfig gif1 inet6 fc00:1::11/64
#  ifconfig gif1 inet6 fe80::1:11/64
#  ifconfig gif2 create inet 172.16.0.11/24 172.16.0.3
#  ifconfig gif2 inet6 tunnel fe80::1:11%em0 fe80::1:3%em0
#  ifconfig gif2 inet6 fc00:2::11/64
#  ifconfig gif3 create inet 192.168.1.11/24 192.168.1.3 tunnel 10.9.14.11 10.9.14.3 up
#  ifconfig gif3 inet6 fc00:14::11/64
#

spdadd -6 ::/0 ::/0 icmp6 135,0 -P out none;
spdadd -6 ::/0 ::/0 icmp6 136,0 -P out none;

# Test 1: IPv4 + transport mode
# 10.9.8.3 <- transport mode IPSec -> 10.9.8.11

spdadd 10.9.8.3 10.9.8.11 any -P in ipsec esp/transport//default;
spdadd 10.9.8.11 10.9.8.3 any -P out ipsec esp/transport//default;
add 10.9.8.3 10.9.8.11 esp 15701 -m transport -E rijndael-cbc "1111111111111111" ;
add 10.9.8.11 10.9.8.3 esp 24501 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 2: IPv4 + gif + transport mode
# 192.168.0.3 <- transport mode IPSec -> 192.168.0.11

spdadd 192.168.0.3 192.168.0.11 any -P in ipsec esp/transport//default;
spdadd 192.168.0.11 192.168.0.3 any -P out ipsec esp/transport//default;
add 192.168.0.3 192.168.0.11 esp 15702 -m transport -E rijndael-cbc "1111111111111111" ;
add 192.168.0.11 192.168.0.3 esp 24502 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 3: IPv6 + transport mode
# fc00::3 <- transport mode IPSec -> fc00::11

spdadd -6 fc00::3 fc00::11 any -P in ipsec esp/transport//default;
spdadd -6 fc00::11 fc00::3 any -P out ipsec esp/transport//default;
add -6 fc00::3 fc00::11 esp 15703 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fc00::11 fc00::3 esp 24503 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 4: IPv6 LLA + transport mode
# fe80::3%em0 <- transport mode IPSec -> fe80::11%em0

spdadd -6 fe80::3%em0 fe80::11%em0 any -P in ipsec esp/transport//default;
spdadd -6 fe80::11%em0 fe80::3%em0 any -P out ipsec esp/transport//default;
add -6 fe80::3%em0 fe80::11%em0 esp 15704 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fe80::11%em0 fe80::3%em0 esp 24504 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 5: IPv6 LLA + gif + transport mode
# fe80::1:3%gif1 <- transport mode IPSec -> fe80::1:11%gif1

spdadd -6 fe80::1:3%gif1 fe80::1:11%gif1 any -P in ipsec esp/transport//default;
spdadd -6 fe80::1:11%gif1 fe80::1:3%gif1 any -P out ipsec esp/transport//default;
add -6 fe80::1:3%gif1 fe80::1:11%gif1 esp 15705 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fe80::1:11%gif1 fe80::1:3%gif1 esp 24505 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 6: IPv6 + gif + transport mode
# fc00:1::3 <- transport mode IPSec -> fc00:1::11

spdadd -6 fc00:1::3 fc00:1::11 any -P in ipsec esp/transport//default;
spdadd -6 fc00:1::11 fc00:1::3 any -P out ipsec esp/transport//default;
add -6 fc00:1::3 fc00:1::11 esp 15706 -m transport -E rijndael-cbc "1111111111111111" ;
add -6 fc00:1::11 fc00:1::3 esp 24506 -m transport -E rijndael-cbc "1111111111111111" ;

# Test 7: IPv4 tunnel mode 10.9.11.3 <-> 10.9.11.11
# 10.9.10.3 <- tunnel mode IPSec -> 10.9.10.11
# fc00:10::3 <-                  -> fc00:10::11

spdadd 10.9.10.3 10.9.10.11 any -P in ipsec esp/tunnel/10.9.11.3-10.9.11.11/default;
spdadd 10.9.10.11 10.9.10.3 any -P out ipsec esp/tunnel/10.9.11.11-10.9.11.3/default;
spdadd -6 fc00:10::3 fc00:10::11 any -P in ipsec esp/tunnel/10.9.11.3-10.9.11.11/default;
spdadd -6 fc00:10::11 fc00:10::3 any -P out ipsec esp/tunnel/10.9.11.11-10.9.11.3/default;
add 10.9.11.3 10.9.11.11 esp 15707 -m tunnel -E rijndael-cbc "1111111111111111" ;
add 10.9.11.11 10.9.11.3 esp 24507 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 8: IPv6 tunnel mode fc00:11::3 <-> fc00:11::11
# 10.9.12.3 <- tunnel mode IPSec -> 10.9.12.11
# fc00:12::3 <-                  -> fc00:12::11

spdadd 10.9.12.3 10.9.12.11 any -P in ipsec esp/tunnel/fc00:11::3-fc00:11::11/default;
spdadd 10.9.12.11 10.9.12.3 any -P out ipsec esp/tunnel/fc00:11::11-fc00:11::3/default;
spdadd -6 fc00:12::3 fc00:12::11 any -P in ipsec esp/tunnel/fc00:11::3-fc00:11::11/default;
spdadd -6 fc00:12::11 fc00:12::3 any -P out ipsec esp/tunnel/fc00:11::11-fc00:11::3/default;
add -6 fc00:11::3 fc00:11::11 esp 15708 -m tunnel -E rijndael-cbc "1111111111111111" ;
add -6 fc00:11::11 fc00:11::3 esp 24508 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 9: IPv6 tunnel mode + LLA fe80::11:3 <-> fe80::11:11
# 10.9.13.3 <- tunnel mode IPSec -> 10.9.13.11
# fc00:13::3 <-                  -> fc00:13::11

spdadd 10.9.13.3 10.9.13.11 any -P in ipsec esp/tunnel/fe80::11:3%em0-fe80::11:11%em0/default;
spdadd 10.9.13.11 10.9.13.3 any -P out ipsec esp/tunnel/fe80::11:11%em0-fe80::11:3%em0/default;
spdadd -6 fc00:13::3 fc00:13::11 any -P in ipsec esp/tunnel/fe80::11:3%em0-fe80::11:11%em0/default;
spdadd -6 fc00:13::11 fc00:13::3 any -P out ipsec esp/tunnel/fe80::11:11%em0-fe80::11:3%em0/default;
add -6 fe80::11:3%em0 fe80::11:11%em0 esp 15709 -m tunnel -E rijndael-cbc "1111111111111111" ;
add -6 fe80::11:11%em0 fe80::11:3%em0 esp 24509 -m tunnel -E rijndael-cbc "1111111111111111" ;

# Test 10: IPv4 tunnel mode + gif 10.9.14.3 <-> 10.9.14.11
# 10.9.14.3 <- tunnel mode IPSec -> 10.9.14.11 
# 192.168.1.3 <-                 -> 192.168.1.11
# fc00:14::3 <-                  -> fc00:14::11

spdadd 10.9.14.3 10.9.14.11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd 10.9.14.11 10.9.14.3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
spdadd 192.168.1.3 192.168.1.11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd 192.168.1.11 192.168.1.3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
spdadd -6 fc00:14::3 fc00:14::11 any -P in ipsec esp/tunnel/10.9.14.3-10.9.14.11/default;
spdadd -6 fc00:14::11 fc00:14::3 any -P out ipsec esp/tunnel/10.9.14.11-10.9.14.3/default;
add 10.9.14.3 10.9.14.11 esp 15710 -m tunnel -E rijndael-cbc "1111111111111111" ;
add 10.9.14.11 10.9.14.3 esp 24510 -m tunnel -E rijndael-cbc "1111111111111111" ;

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

ae updated this revision to Diff 4851.Apr 16 2015, 5:44 PM
ae retitled this revision from to Fix handling scoped IPv6 addresses in IPSec code.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added a reviewer: network.
ae edited the test plan for this revision. (Show Details)Apr 17 2015, 6:08 PM
ae edited the test plan for this revision. (Show Details)
ae added a comment.Apr 17 2015, 6:12 PM

All my tests successfully passed with patches from D2303,D2304,D2306.

gnn accepted this revision.Apr 18 2015, 4:20 PM
gnn added a reviewer: gnn.
This revision is now accepted and ready to land.Apr 18 2015, 4:20 PM
ae closed this revision.Apr 18 2015, 4:46 PM
ae updated this revision to Diff 4898.

Closed by commit rS281693 (authored by @ae).

Revision Contents
Changeset List

PathSize
head/
sys/
netipsec/
7 lines
7 lines
43 lines

Diff 4898

View Options

head/sys/netipsec/ipsec_input.c

Loading...
View Options

head/sys/netipsec/ipsec_output.c

Loading...
View Options

head/sys/netipsec/key.c

Loading...