(usagi-users 02386) Re: IPsec pfkey command and input transaction

[Mitsuru KANDA / 神田 充 <mk@xxxxxxxxxxxxxx>]

Hello,

At Thu, 22 May 2003 14:01:34 +0900,
Kazutaka Tachibana <Kazutaka.Tachibana@xxxxxxxxxxx> wrote:
> 
> Hi.
> 
> I want to append "Security Policy" by manual, so I use "pfkey" command like 
> following.
> 
> pfkey -A sp -T esp -S 0x1234 -s fec0::1 -d fec0::2 --sport 9999 --dport 80
> 
> and, next, I changed "port"parameter.
> pfkey -A sp -T esp -S 0x1234 -s fec0::1 -d fec0::2 --sport 8888 --dport 80
...
> The result of "pfkey -L"command is like above.
> I wondered Why is there only one "SPD".
You have to specify unique SPI value each policies.

...
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
>         switch (query.msgtype) {
>          case SADB_ADD:
>          case SADB_DELETE:
>          case SADB_X_DELFLOW:
>                  if (((struct sockaddr*)&(query.address_s))->sa_family !=
...
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> I think when we execute "pfkey -A sp"command,  query.msgtype is SADB_X_ADDFLOW.
> but, in the case of adding port information, this code doesn't execute 
> following.
Apparently this is a BUG.
I'll fix and commit our cvs tree ASAP.
Thank you.

...
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> BUT!!
> In "ipsec6_input.c", usagi's code doesn't substitute port information for 
> selector structure.
> so, ipsec packet is discarded!
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Why isn't port information included in selector?
> RFC 2401 describes port information is included in selector.
This is just 'Not Yet Implement' thing.

# But this is not difficult to implement, we will do.
# Of course, patches are welcome :-)
-mk