From owner-freebsd-net@freebsd.org  Thu Oct  6 12:36:39 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7ED8BBD82BE
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu,  6 Oct 2016 12:36:39 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6B4EDBB5
 for <freebsd-net@freebsd.org>; Thu,  6 Oct 2016 12:36:39 +0000 (UTC)
 (envelope-from ae@FreeBSD.org)
Received: from butcher-nb.yandex.net (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx2.freebsd.org (Postfix) with ESMTP id 2A9FC67361;
 Thu,  6 Oct 2016 12:36:37 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Subject: Re: IPsec implementation key_spdacquire
To: Rafa Marin Lopez <rafa@um.es>, freebsd-net@freebsd.org
References: <E94ABEFA-1B47-47B2-999C-6E26DE358CE5@um.es>
Cc: Gabriel Lopez <gabilm@um.es>
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Message-ID: <53a3073d-2098-76fb-2d1d-d144397fa6f2@FreeBSD.org>
Date: Thu, 6 Oct 2016 15:34:04 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <E94ABEFA-1B47-47B2-999C-6E26DE358CE5@um.es>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="w3Oq431gXSV8htaIXOujUBKUrJvakL9Hi"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 12:36:39 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--w3Oq431gXSV8htaIXOujUBKUrJvakL9Hi
Content-Type: multipart/mixed; boundary="rEpBDI09EC5ccQV5u7DeuKkpGTedrNVhr";
 protected-headers="v1"
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: Rafa Marin Lopez <rafa@um.es>, freebsd-net@freebsd.org
Cc: Gabriel Lopez <gabilm@um.es>
Message-ID: <53a3073d-2098-76fb-2d1d-d144397fa6f2@FreeBSD.org>
Subject: Re: IPsec implementation key_spdacquire
References: <E94ABEFA-1B47-47B2-999C-6E26DE358CE5@um.es>
In-Reply-To: <E94ABEFA-1B47-47B2-999C-6E26DE358CE5@um.es>

--rEpBDI09EC5ccQV5u7DeuKkpGTedrNVhr
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 06.10.2016 14:01, Rafa Marin Lopez wrote:
> In the file key.c in netipsec there is a function:
>=20
> key_spdacquire(struct secpolicy *sp)
>=20
> which is implemented but in the table:
>=20
>=20
> static int (*key_typesw[])(struct socket *, struct mbuf *, const
> struct sadb_msghdr *) =3D { ...
>=20
> NULL,           /* SADB_X_SPDACQUIRE */
>=20
>=20
> Does it mean it is not usable?
>=20
> We are interested because we are dealing with handling IPsec by using
> SDN paradigm
> (https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection=
-00)
> and we would need an event when a IP packet needs a policy to be
> configured for an outbound packet.

Hi,

Yes, it isn't usable.
In my understanding SADB_X_SPDACQUIRE should be used in conjunction with
SADB_X_SPDSETIDX and SADB_X_SPDUPDATE in the similar way like currently
SADB_GETSPI+SADB_ACQUIRE+SADB_UPDATE works.

Currently I have done a heavy redesign of SADB/SPDB and also just
removed SADB_X_SPDSETIDX and SADB_X_SPDACQUIRE support, since
1) it is unused;
2) I failed to find IKEd that supports it;
3) there is no code in the IPsec that assumes such usage.

My work is still in progress, currently we are doing testing. But if you
have software that will use this, I will think how to implement it.

--=20
WBR, Andrey V. Elsukov


--rEpBDI09EC5ccQV5u7DeuKkpGTedrNVhr--

--w3Oq431gXSV8htaIXOujUBKUrJvakL9Hi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEsBAEBCAAWBQJX9kS8DxxhZUBmcmVlYnNkLm9yZwAKCRABxeoEEMihevkyCACE
nKUd6UPQDE29RcnwShT4jMT4HiAbQvTnp7o2ZVQti50xuBePicy/2bzl329YeQKR
aijfKio6RG9S3OgE5nl5VFP9+72LmD4Sw6EO2DRiLATs3hMSL9cA3u+6m7l07Iz+
xqx1q5759dumpTWVAsEY/0ECSVV+0e6UtwGj3nzf6Z1DJaDFyvCIv6EbeVvaBix7
ivzn7n+jirldSiXBhU3O6WFYppizHhVTEU1mlwNxiY6MB63nRy8BzqHFOid9J9fY
ciD9ZYCidNmY8Qzvn0BfxC4fcVSBdxnbzcEhdAG4w+8qTL1PQioshRmHSGFfsdQk
lCrdsHv5FNdUnLweBAEt
=I6yH
-----END PGP SIGNATURE-----

--w3Oq431gXSV8htaIXOujUBKUrJvakL9Hi--