[redhat-lspp] Labeled IPsec localhost problems

Joy Latten latten at austin.ibm.com
Thu Feb 1 02:01:34 UTC 2007 

On Wed, 2007-01-31 at 18:20 -0500, Paul Moore wrote:
> On Wednesday, January 31 2007 6:00 pm, Eric Paris wrote:
> > On Wed, 2007-01-31 at 15:33 -0600, Joy Latten wrote:
> > > As for sequence numbers, their use is optional and we can
> > > specify/document that when using loopback, we recommend you do not use
> > > them since loopback has guaranteed delivery. Because yes, packets can
> > > get dropped when using sequence numbers and window size.
> >
> > I'm no ipsec expert, but my understanding was that the purpose of the
> > sequence number in ipsec was to prevent playback in the future.  It's
> > not a delivery guarantee mechanism like the seq number in TCP.  Not sure
> > if we care about loosing replay protection on loopback, but if it is the
> > only way....
> 
> >From what I can recall, yes, the AH/ESP sequence number is purely for replay 
> protection (I'm really trying not to have to crack open the IPsec RFCs <g>), 
> which I'm not sure is all that important for loopback - after all, we kinda 
> have to trust out own network stack.
> 
> My main concern with the sequence number is what would happen if you had a lot 
> of processes sending data and receiving data over the same SA on a large 
> multi-processor box - could you potentially run into a problem where you 
> start dropping packets because they are outside of a sequence number window?  
> I'm not sure because I haven't been that involved with the IPsec work that 
> has been going on; I was hoping that some of the people who have been working 
> on IPsec would know the answer ...
> 
I don't know much about the anti-replay. Especially, whether or not
loopback should have it. Perhaps someone else can answer, or even netdev
or ipsec-tools lists. 

I looked at the code and for each xfrm, there are 2 sequence numbers.
One used for outbound processing, which is incremented and value placed
in SA. And one used for inbound processing, that is, it's value is used
to determine if arriving SA's seq no is within window.  Because an SA
pair represent a traffic stream, I am guessing that in a non-loopback
scenario, one of the SAs will always have outbound-seq non-zero and
inbound-seq zero, and opposite for other SA in pair. This is just a
guess. I have no proof, but this may be the same case for loopback. 
Don't really know...

Joy

More information about the redhat-lspp mailing list