PFkey update to get recent racoon working on NetBSD

Discussion:

(too old to reply)

Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)

2009-12-18 14:12:36 UTC

Hi Yvan,

I've seen your mail at [1] that there were recent changes in racoon that need equal changes to the kernek's PFkey interface.
I'm currently experiencing this problem with a recent racoon (taken from NetBSD-current CVS) and a NetBSD 5.0 userland,
the problem that I see are repeatedly created phase2 SA entries as described in [2] by Brett Lymn.

Do you have any patches in this direction already, or can you outline the work that needs to be done?
Do you have files & revisions (or URLs to source-changes mails) for FreeBSD?

Thanks a lot in advance!

- Daniel Zebralla

[1] http://sourceforge.net/mailarchive/message.php?msg_name=20090729195853.GA5366%40zeninc.net
[2] http://sourceforge.net/mailarchive/message.php?msg_id=20090725215420.GA3745%40internode.on.net

P.S. I'm posting this to tech-net@ but I'm not subscribed. Please keep me on CC: on replies.

A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
***@ape-net.com
http://www.ape-net.com

_______________________________________

A.P.E. GmbH IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

VANHULLEBUS Yvan

2009-12-21 10:45:24 UTC

Permalink

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
Hi Yvan,

Hi all.

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
I've seen your mail at [1] that there were recent changes in racoon
that need equal changes to the kernek's PFkey interface.

Yep.

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
I'm currently experiencing this problem with a recent racoon (taken
from NetBSD-current CVS) and a NetBSD 5.0 userland,
the problem that I see are repeatedly created phase2 SA entries as
described in [2] by Brett Lymn.
Do you have any patches in this direction already, or can you
outline the work that needs to be done?

Not actually, I still didn't found time to finish minor fixes and tou
port it to NetBSD....
I'll be on hollidays at the end of the week, I may have time to do at
least most of that job in the next weeks.....

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
Do you have files & revisions (or URLs to source-changes mails) for FreeBSD?

Not so easy to track: the best way may be to get the diff
between..... two patches !
First one is the "old" patchset maintained for older versions,
available at http://people.freebsd.org/~vanhu/NAT-T (use only patches
without TEST or experimental, they will be the version closer to
NetBSD's ones).

Second patchset is commit on FreeBSD's HEAD:
http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
which mostly includes the "correct" version (well, there are still a
few known bugs in specific situations, I'll have to make some test
setups to be able to hunt them).

If someone starts porting that to NetBSD (don't forget that NetBSD
still ships both IPSEC and FAST_IPSEC, work will need to be done
twice....), please let me know, that may avoid 2 guys doing the same
job at the same time, and I can also give some hints, code review,
etc....

Yvan.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Thor Lancelot Simon

2009-12-21 16:51:21 UTC

Permalink

Post by VANHULLEBUS Yvan

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
Do you have any patches in this direction already, or can you
outline the work that needs to be done?

Not actually, I still didn't found time to finish minor fixes and tou
port it to NetBSD....

If racoon is going to live in NetBSD's CVS repository, then changes which
break correct operation on NetBSD should not be checked in!

Thor

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Christos Zoulas

2009-12-21 18:58:06 UTC

Permalink

Post by Thor Lancelot Simon

Post by VANHULLEBUS Yvan

Post by Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
Do you have any patches in this direction already, or can you
outline the work that needs to be done?

Not actually, I still didn't found time to finish minor fixes and tou
port it to NetBSD....

If racoon is going to live in NetBSD's CVS repository, then changes which
break correct operation on NetBSD should not be checked in!

To HEAD; you can do whatever you want with branches.
We expect that installing from a source tree actually works.

christos

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hubert Feyrer

2009-12-22 12:06:44 UTC

Permalink

Post by VANHULLEBUS Yvan
http://svn.freebsd.org/viewvc/base?view=revision&revision=194062

Do you have output of "svn diff" or so available somewhere?
I'm interested to have a look...

Thanks!

- Hubert

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hubert Feyrer

2009-12-22 12:27:23 UTC

Permalink

Post by Hubert Feyrer

Post by VANHULLEBUS Yvan
http://svn.freebsd.org/viewvc/base?view=revision&revision=194062

Do you have output of "svn diff" or so available somewhere?
I'm interested to have a look...

Got it, this did the job:
svn diff -r 194061:194062 svn://svn.freebsd.org/base/

- Hubert

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

John Nemeth

2010-02-01 06:07:31 UTC

Permalink

On May 13, 6:21am, VANHULLEBUS Yvan wrote:
} On Fri, Dec 18, 2009 at 03:12:36PM +0100, Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development) wrote:
}
} > I've seen your mail at [1] that there were recent changes in racoon
} > that need equal changes to the kernek's PFkey interface.
}
} Yep.
}
} > I'm currently experiencing this problem with a recent racoon (taken
} > from NetBSD-current CVS) and a NetBSD 5.0 userland,
} > the problem that I see are repeatedly created phase2 SA entries as
} > described in [2] by Brett Lymn.
}
} > Do you have any patches in this direction already, or can you
} > outline the work that needs to be done?
}
} Not actually, I still didn't found time to finish minor fixes and tou
} port it to NetBSD....
} I'll be on hollidays at the end of the week, I may have time to do at
} least most of that job in the next weeks.....
}
} > Do you have files & revisions (or URLs to source-changes mails) for
} > FreeBSD?
}
} Not so easy to track: the best way may be to get the diff
} between..... two patches !
} First one is the "old" patchset maintained for older versions,
} available at http://people.freebsd.org/~vanhu/NAT-T (use only patches
} without TEST or experimental, they will be the version closer to
} NetBSD's ones).
}
} Second patchset is commit on FreeBSD's HEAD:
} http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
} which mostly includes the "correct" version (well, there are still a
} few known bugs in specific situations, I'll have to make some test
} setups to be able to hunt them).

I found this patchset and applied what appeared to be the
pertinent parts. Unfortunately, the result was that racoon couldn't
communicate with the kernel.

} If someone starts porting that to NetBSD (don't forget that NetBSD
} still ships both IPSEC and FAST_IPSEC, work will need to be done

They use common code for key management, so not a big deal.

} twice....), please let me know, that may avoid 2 guys doing the same
} job at the same time, and I can also give some hints, code review,
} etc....

Does anything need to be done with racoon? Do you have a detailed
description of the PFKey interface? Any hints? I have about three
months to finish this project for the application that I plan on using
NAT-T. Not a huge rush, but I do need to get moving on it.

}-- End of excerpt from VANHULLEBUS Yvan

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

VANHULLEBUS Yvan

2010-02-01 08:59:10 UTC

Permalink

[....]

Post by John Nemeth
} http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
} which mostly includes the "correct" version (well, there are still a
} few known bugs in specific situations, I'll have to make some test
} setups to be able to hunt them).
I found this patchset and applied what appeared to be the
pertinent parts. Unfortunately, the result was that racoon couldn't
communicate with the kernel.

Can you send me a racoon.debug and configuration files ?

You may have missed some parts of the patchset, or they may be more
differences between FreeBSD and NetBSD than what I expacted in the
PFKey interface (but I don't think so, as I already did a similar job
in the other way, from NetBSD to FreeBSD, some years ago).

Post by John Nemeth
} If someone starts porting that to NetBSD (don't forget that NetBSD
} still ships both IPSEC and FAST_IPSEC, work will need to be done
They use common code for key management, so not a big deal.

Not exactly: they use code which mostly derivated from the same
sources, but, for example, each one has it's own key.c (in netkey for
IPSEC, and in netipsec for FAST_IPSEC).

Post by John Nemeth
} twice....), please let me know, that may avoid 2 guys doing the same
} job at the same time, and I can also give some hints, code review,
} etc....
Does anything need to be done with racoon?

Nothing except using HEAD (and of course recompile it, as kernel
patchset changes at least net/pfkeyv2.h).

Post by John Nemeth
Do you have a detailed
description of the PFKey interface?

NAT-T extensions don't have standard description, and we didn't took
time to generate a detailed description of the way we use it, sorry.

But basically, the idea is that ports information for peers (I'm
talking about tunnel endpoints here, NOT traffic endpoints) MUST NOT
be sent in SADB_EXT_ADDRESS_*, but in SADB_X_EXT_NAT_T_[S|D]PORT.

Yvan.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

John Nemeth

2010-02-08 07:58:42 UTC

Permalink

On Jun 24, 4:34am, VANHULLEBUS Yvan wrote:
} On Sun, Jan 31, 2010 at 10:07:31PM -0800, John Nemeth wrote:
} > On May 13, 6:21am, VANHULLEBUS Yvan wrote:
} [....]
} > } Second patchset is commit on FreeBSD's HEAD:
} > } http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
} > } which mostly includes the "correct" version (well, there are still a
} > } few known bugs in specific situations, I'll have to make some test
} > } setups to be able to hunt them).
} >
} > I found this patchset and applied what appeared to be the
} > pertinent parts. Unfortunately, the result was that racoon couldn't
} > communicate with the kernel.
}
} Can you send me a racoon.debug and configuration files ?

Okay, I'll send that under seperate cover.

} You may have missed some parts of the patchset, or they may be more

Possibly.

} differences between FreeBSD and NetBSD than what I expacted in the
} PFKey interface (but I don't think so, as I already did a similar job
} in the other way, from NetBSD to FreeBSD, some years ago).
}
} > } If someone starts porting that to NetBSD (don't forget that NetBSD
} > } still ships both IPSEC and FAST_IPSEC, work will need to be done
} >
} > They use common code for key management, so not a big deal.
}
} Not exactly: they use code which mostly derivated from the same
} sources, but, for example, each one has it's own key.c (in netkey for
} IPSEC, and in netipsec for FAST_IPSEC).

Ah right. I was working in netipsec and running regular IPSEC.
I've just updated netkey/key.c

} > } twice....), please let me know, that may avoid 2 guys doing the same
} > } job at the same time, and I can also give some hints, code review,
} > } etc....
} >
} > Does anything need to be done with racoon?
}
} Nothing except using HEAD (and of course recompile it, as kernel
} patchset changes at least net/pfkeyv2.h).

Oops, I had updated net/pfkeyv2.h, but forgot to install it. It's
now installed and everything has been rebuilt. I just did a NAT-T test.
racoon no longer complains about not being able to set a key, but it is
back to the old symptom of repeatedly trying to establish phase 2.

} > Do you have a detailed
} > description of the PFKey interface?
}
} NAT-T extensions don't have standard description, and we didn't took
} time to generate a detailed description of the way we use it, sorry.
}
} But basically, the idea is that ports information for peers (I'm
} talking about tunnel endpoints here, NOT traffic endpoints) MUST NOT
} be sent in SADB_EXT_ADDRESS_*, but in SADB_X_EXT_NAT_T_[S|D]PORT.
}
}-- End of excerpt from VANHULLEBUS Yvan

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de