ipsec: add `net.inet.ipsec.random_id`
ClosedPublic
Actions

Authored by anaelle.cazuc_stormshield.eu on Feb 28 2025, 12:17 PM.

Details

Reviewers

glebius

Group Reviewers

transport

Commits

rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC

Summary

esp-encapsulated packets may get a generated IP id if the net.inet.random_id sysctl equals 1
while it's useful in most IP contexts, it may be unnecessary in the case of IPsec encapsulated packets because IPsec can be configured to use anti-replay windows
because random id generation can cost a lot of CPU resources when many packets are handled, it can be useful to disable this generation for IPsec packets
this reviews adds a new net.inet.ipsec.random_id sysctl to control whether or not IPsec packets may use random id generation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

anaelle.cazuc_stormshield.eu created this revision.Feb 28 2025, 12:17 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptFeb 28 2025, 12:17 PM

anaelle.cazuc_stormshield.eu requested review of this revision.Feb 28 2025, 12:17 PM

stephane.rochoy_stormshield.eu added a subscriber: stephane.rochoy_stormshield.eu.Feb 28 2025, 1:17 PM

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

In D49164#1121535, @ae wrote:

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

The problem with suggested patch is that you need to set two knobs to true to actually enable random ID for IPSEC. Neither you can enable random for IPSEC and disable for others!

If we are moving towards enabling/disabling the random ID generation per protocol, let's just extend ip_fillid() with an argument. There is not much use of this function in the kernel, the sweep won't be big. All existing protocols will provide the default knob pointer, and IPSEC will provide its own.

So,

VNET_DEFINE_STATIC(int, ip_do_randomid) = 0;

changes to non-static one and VNET_DECLARE() is added to to ip_var.h next to new ip_fillid() definition. Meanwhile we can change the sysctl to bool and shorten the global variable name.

VNET_DECLARE(bool, ip_randomid);
ip_fillid(struct ip *, bool)

Then every other place than IPSEC would use ip_fillid(ip, V_ip_randomid) and IPSEC would use ip_fillid(ip, V_ipsec_randomid).

As proposed by @glebius, ip_fillid now does always take a boolean to enable random id
The boolean is V_ip_random_id for all the calls to the function, except for ipsec_output where it's V_ip4_ipsec_random_id
ipsec(4) has been modified as well to document the ipsec sysctl

Herald added a reviewer: transport. · View Herald TranscriptMar 3 2025, 1:16 PM

Herald added subscribers: ziaee, vegeta_tuxpowered.net, donner, farrokhi. · View Herald Transcript

Thanks!

Do you need me to check in the change, or you have other committer you work with? In the former case, do you have a shared git branch with this change and your name/email spelled correctly in the commit message?

anaelle.cazuc_stormshield.eu edited the summary of this revision. (Show Details)Mar 4 2025, 8:41 AM

I commited the change on github here: https://github.com/stormshield-acazuc/freebsd-src/commit/b2e39427211c2645b567d0039ce74636d449d6fa
I can create a pull request if it's easier for you to merge

Pushed with some editing/formatting of the commit message and date update in the manual page. Thanks!

This revision was not accepted when it landed; it landed in state Needs Review.Mar 5 2025, 1:39 AM

Closed by commit rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC (authored by anaelle.cazuc_stormshield.eu, committed by glebius). · Explain Why

This revision was automatically updated to reflect the committed changes.

glebius added a commit: rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC.