ipsec: add `net.inet.ipsec.random_id`
Needs ReviewPublic
Actions

Authored by aurelien.cazuc.external_stormshield.eu on Fri, Feb 28, 12:17 PM.

Details

Reviewers

None

Group Reviewers

transport

Summary

esp-encapsulated packets may get a generated IP id if the net.inet.random_id sysctl equals 1
while it's useful in most IP contexts, it may be unnecessary in the case of IPsec encapsulated packets because IPsec can be configured to use anti-replay windows
because random id generation can cost a lot of CPU resources when many packets are handled, it can be useful to disable this generation for IPsec packets
this reviews adds a new net.inet.ipsec.random_id sysctl to control whether or not IPsec packets may use random id generation

Test Plan

when sending a ping through a tunnel

packets id are sequential when net.inet.ipsec.random_id is set to 0
packets id are random when net.inet.ipsec.random_id is set to 1

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

aurelien.cazuc.external_stormshield.eu created this revision.Fri, Feb 28, 12:17 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptFri, Feb 28, 12:17 PM

aurelien.cazuc.external_stormshield.eu requested review of this revision.Fri, Feb 28, 12:17 PM

stephane.rochoy_stormshield.eu added a subscriber: stephane.rochoy_stormshield.eu.Fri, Feb 28, 1:17 PM

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

In D49164#1121535, @ae wrote:

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

The problem with suggested patch is that you need to set two knobs to true to actually enable random ID for IPSEC. Neither you can enable random for IPSEC and disable for others!

If we are moving towards enabling/disabling the random ID generation per protocol, let's just extend ip_fillid() with an argument. There is not much use of this function in the kernel, the sweep won't be big. All existing protocols will provide the default knob pointer, and IPSEC will provide its own.

So,

VNET_DEFINE_STATIC(int, ip_do_randomid) = 0;

changes to non-static one and VNET_DECLARE() is added to to ip_var.h next to new ip_fillid() definition. Meanwhile we can change the sysctl to bool and shorten the global variable name.

VNET_DECLARE(bool, ip_randomid);
ip_fillid(struct ip *, bool)

Then every other place than IPSEC would use ip_fillid(ip, V_ip_randomid) and IPSEC would use ip_fillid(ip, V_ipsec_randomid).

As proposed by @glebius, ip_fillid now does always take a boolean to enable random id
The boolean is V_ip_random_id for all the calls to the function, except for ipsec_output where it's V_ip4_ipsec_random_id
ipsec(4) has been modified as well to document the ipsec sysctl

Herald added a reviewer: transport. · View Herald TranscriptMon, Mar 3, 1:16 PM

Herald added subscribers: ziaee, vegeta_tuxpowered.net, donner, farrokhi. · View Herald Transcript