From owner-freebsd-net@freebsd.org Wed Jun 13 07:37:25 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2587D100E97F for ; Wed, 13 Jun 2018 07:37:25 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward104j.mail.yandex.net (forward104j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9903871BE0 for ; Wed, 13 Jun 2018 07:37:24 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback17j.mail.yandex.net (mxback17j.mail.yandex.net [IPv6:2a02:6b8:0:1619::93]) by forward104j.mail.yandex.net (Yandex) with ESMTP id 7A52B41F7F; Wed, 13 Jun 2018 10:37:14 +0300 (MSK) Received: from smtp2j.mail.yandex.net (smtp2j.mail.yandex.net [2a02:6b8:0:801::ac]) by mxback17j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 2TUllt6GY2-bEumbSIH; Wed, 13 Jun 2018 10:37:14 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528875434; bh=wCtkKb3VTAZl4zzxZEkY24GI6R6QKCt+PeXutp34bw8=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=AP4a5pFvmHgYsrGfWqAMEWpLRmHpcZfX4UtF+XlyIKhKe6UdOXGuc7izfbvKzEtvF WZoBoO9VY295VqSErmPdbdqYQ6LK5eKnbCIxXMTRXvnxNY3V6sCoAig9/SGo7YWbcN 0bIzLPiamsap5NbFPQLRuwxS6TbZCnvvveC0VHe4= Received: by smtp2j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id jZ4OUSAqBP-bD18Ui8Q; Wed, 13 Jun 2018 10:37:13 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528875433; bh=wCtkKb3VTAZl4zzxZEkY24GI6R6QKCt+PeXutp34bw8=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=AmQJcok9e5brjNY7KKA10G0MoD7QumuVykV123/9qiplqOa9C+htxReUAGYxAdyW+ 1Pga+WDJ5d8JdZPcYYvBG1+P9HeYpZ0LzLlB5YK+NuN9nB19n/vsSFHs/egQcLH1rB 0oQVUAldaLdQzLf9o1jw+z4TcP7h8MI+xy+5nAhY= Authentication-Results: smtp2j.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: 11.2-RC1 setkey invalid spi ? To: Patrick Lamaiziere , FreeBSD Net References: <20180612143447.697681c5@mr185083> <20180612160116.58df4001@mr185083> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: Date: Wed, 13 Jun 2018 10:34:33 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180612160116.58df4001@mr185083> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6angPUet7gW05Js6HIMMUp6v2rN3WMsVj" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2018 07:37:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6angPUet7gW05Js6HIMMUp6v2rN3WMsVj Content-Type: multipart/mixed; boundary="6eap1l0R3LGTlcHyzQYmDyLioHFZkaWXr"; protected-headers="v1" From: "Andrey V. Elsukov" To: Patrick Lamaiziere , FreeBSD Net Message-ID: Subject: Re: 11.2-RC1 setkey invalid spi ? References: <20180612143447.697681c5@mr185083> <20180612160116.58df4001@mr185083> In-Reply-To: <20180612160116.58df4001@mr185083> --6eap1l0R3LGTlcHyzQYmDyLioHFZkaWXr Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 12.06.2018 17:02, Patrick Lamaiziere wrote: > # setkey -f /etc/ipsec.conf > # setkey -D > 129.20.128.149 129.20.128.78 > tcp mode=3Dany spi=3D106079004(0x0652a31c) reqid=3D0(0x00000000) > A: tcp-md5 73656372 6574 > seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20 > created: Jun 12 15:57:28 2018 current: Jun 12 15:57:36 > 2018 > diff: 8(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3D1 pid=3D5405 refcnt=3D1 > 129.20.128.78 129.20.128.149 > tcp mode=3Dany spi=3D4096(0x00001000) reqid=3D0(0x00000000) > A: tcp-md5 73656372 6574 > seq=3D0x00000000 replay=3D0 flags=3D0x00000040 state=3Dmature=20 > created: Jun 12 15:57:28 2018 current: Jun 12 15:57:36 > 2018 > diff: 8(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3D0 pid=3D5405 refcnt=3D1 >=20 > spi field looks wrongs :( > > That works fine on FreeBSD 10.3 >=20 > Same problem on a FreeBSD 11.1-STABLE #1 r326391: Thu Nov 30 12:07:50 > CET 2017=20 SPI isn't used with TCP (it doesn't sent over network). It is here, since it is required to create SA in SADB. In 11.0 the SADB/SPDB were changed and now each SA must have unique SPI. To not break old applications the compatibility shim was added, for TCP-MD5 SAs it is supported to use one SPI 0x1000, and it is allowed when you try to add several SAs with the same SPI, but actually they will use auto-generated values. Two years ago I have sent the patch to bird developers, but have not received any answers. --=20 WBR, Andrey V. Elsukov --6eap1l0R3LGTlcHyzQYmDyLioHFZkaWXr-- --6angPUet7gW05Js6HIMMUp6v2rN3WMsVj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlsgyQkACgkQAcXqBBDI oXpk4Qf+OhqxvlHtryXFqV1F0TpYVQPs7t+mB/InAx0S/+rtXe2fq8N8BmbTsdnf OafZ7BUMirkpICrCiTEtlHmN1MgUtOEah9WanVbZMxQIuUmDUc5rHN/VJEWLKS+N EtCB7+2mskGdHR/uSZYJdlcbbJzn/afQ77/LU/1+elGkVSvaQ57ml6iVM46FhCwR Sz5EKRhsjNx5l+z3Ts0PuA53++iAzYyqoBcMk02fI3VUVeR6OmCPnNSDwwz2wOSu G51bnCRkcatu9AMR8B1zLPqg+w1cxfOlP6rwtnqmq8gyJoi0IQ0K2rk/o6pOBUhz 8onrR6ZveDiDIM54By3RfFb27v41OA== =sRwz -----END PGP SIGNATURE----- --6angPUet7gW05Js6HIMMUp6v2rN3WMsVj--