HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS281693

Fix handling of scoped IPv6 addresses in IPSec code.
rS281693
Actions

Description

Fix handling of scoped IPv6 addresses in IPSec code.

  • in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope;
  • teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in kernel-internal form, we need to embed scope zone id from SA into the address before calling in6_localip.
  • in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA, because we keep addresses in the SADB without embedded scope zone id.

Differential Revision: https://reviews.freebsd.org/D2304
Reviewed by: gnn
Sponsored by: Yandex LLC

Details

Provenance
aeAuthored on
Reviewer
gnn
Differential Revision
D2304: Fix handling scoped IPv6 addresses in IPSec code
Parents
rS281692: Remove xform_ipip.c and code related to XF_IP4.
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (3)

PathSize
head/
sys/
netipsec/

rS281693

View Options

head/sys/netipsec/ipsec_input.c

Loading...
View Options

head/sys/netipsec/ipsec_output.c

Loading...
View Options

head/sys/netipsec/key.c

Loading...