Page MenuHomeFreeBSD
Differential D49164

ipsec: add `net.inet.ipsec.random_id`
ClosedPublic
Actions

Authored by aurelien.cazuc.external_stormshield.eu on Fri, Feb 28, 12:17 PM.
Tags
None
Referenced Files
F112547923: D49164.diff
Wed, Mar 19, 4:56 PM
Unknown Object (File)
Mon, Mar 17, 10:06 AM
Unknown Object (File)
Thu, Mar 6, 5:12 PM
Unknown Object (File)
Thu, Mar 6, 4:32 PM
Unknown Object (File)
Wed, Mar 5, 11:45 PM
Unknown Object (File)
Wed, Mar 5, 8:28 PM
Unknown Object (File)
Wed, Mar 5, 4:47 PM
Unknown Object (File)
Wed, Mar 5, 2:55 PM
View All 22 Files
Subscribers
ae
donner
farrokhi
glebius
imp
melifaro
stephane.rochoy_stormshield.eu
View All 9 Subscribers

Details

Reviewers
glebius
Group Reviewers
transport
Commits
rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC
Summary

esp-encapsulated packets may get a generated IP id if the net.inet.random_id sysctl equals 1
while it's useful in most IP contexts, it may be unnecessary in the case of IPsec encapsulated packets because IPsec can be configured to use anti-replay windows
because random id generation can cost a lot of CPU resources when many packets are handled, it can be useful to disable this generation for IPsec packets
this reviews adds a new net.inet.ipsec.random_id sysctl to control whether or not IPsec packets may use random id generation

Sponsored By: Stormshield

Test Plan

when sending a ping through a tunnel

  • packets id are sequential when net.inet.ipsec.random_id is set to 0
  • packets id are random when net.inet.ipsec.random_id is set to 1

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

aurelien.cazuc.external_stormshield.eu created this revision.Fri, Feb 28, 12:17 PM
Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptFri, Feb 28, 12:17 PM
aurelien.cazuc.external_stormshield.eu requested review of this revision.Fri, Feb 28, 12:17 PM
stephane.rochoy_stormshield.eu added a subscriber: stephane.rochoy_stormshield.eu.Fri, Feb 28, 1:17 PM
ae added a comment.Fri, Feb 28, 2:35 PM

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

glebius added a comment.Fri, Feb 28, 7:16 PM
In D49164#1121535, @ae wrote:

It looks a bit confusing when you set net.inet.ipsec.random_id=1 and it does not work because default value of net.inet.random_id is 0.
It should be documented in ipsec(4).
Maybe just make ip_fillid_ex as ip_fillid_ex(struct ip *, bool do_randomid) and set net.inet.ipsec.random_id=0 by default?

The problem with suggested patch is that you need to set two knobs to true to actually enable random ID for IPSEC. Neither you can enable random for IPSEC and disable for others!

If we are moving towards enabling/disabling the random ID generation per protocol, let's just extend ip_fillid() with an argument. There is not much use of this function in the kernel, the sweep won't be big. All existing protocols will provide the default knob pointer, and IPSEC will provide its own.

So,

VNET_DEFINE_STATIC(int, ip_do_randomid) = 0;

changes to non-static one and VNET_DECLARE() is added to to ip_var.h next to new ip_fillid() definition. Meanwhile we can change the sysctl to bool and shorten the global variable name.

VNET_DECLARE(bool, ip_randomid);
ip_fillid(struct ip *, bool)

Then every other place than IPSEC would use ip_fillid(ip, V_ip_randomid) and IPSEC would use ip_fillid(ip, V_ipsec_randomid).

aurelien.cazuc.external_stormshield.eu updated this revision to Diff 151782.Mon, Mar 3, 1:16 PM
aurelien.cazuc.external_stormshield.eu edited the test plan for this revision. (Show Details)

As proposed by @glebius, ip_fillid now does always take a boolean to enable random id
The boolean is V_ip_random_id for all the calls to the function, except for ipsec_output where it's V_ip4_ipsec_random_id
ipsec(4) has been modified as well to document the ipsec sysctl

Herald added a reviewer: transport. · View Herald TranscriptMon, Mar 3, 1:16 PM
Herald added subscribers: ziaee, vegeta_tuxpowered.net, donner, farrokhi. · View Herald Transcript
glebius accepted this revision.Mon, Mar 3, 9:46 PM

Thanks!

glebius added a comment.Mon, Mar 3, 9:48 PM

Do you need me to check in the change, or you have other committer you work with? In the former case, do you have a shared git branch with this change and your name/email spelled correctly in the commit message?

aurelien.cazuc.external_stormshield.eu edited the summary of this revision. (Show Details)Tue, Mar 4, 8:41 AM
aurelien.cazuc.external_stormshield.eu added a comment.Tue, Mar 4, 9:28 AM

I commited the change on github here: https://github.com/stormshield-acazuc/freebsd-src/commit/b2e39427211c2645b567d0039ce74636d449d6fa
I can create a pull request if it's easier for you to merge

glebius added a comment.Tue, Mar 4, 4:55 PM

Pushed with some editing/formatting of the commit message and date update in the manual page. Thanks!

This revision was not accepted when it landed; it landed in state Needs Review.Wed, Mar 5, 1:39 AM
Closed by commit rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC (authored by acazuc <acazuc@acazuc.fr>, committed by glebius). · Explain Why
This revision was automatically updated to reflect the committed changes.
glebius added a commit: rG70703aa922b4: netinet: allow per protocol random IP id control, single out IPSEC.

Revision Contents
Changeset List

PathSize
sys/
netinet/
7 lines
1 line
netipsec/
3 lines
4 lines
2 lines

Diff 151667

View Options

sys/netinet/ip_id.c

Loading...
View Options

sys/netinet/ip_var.h

Loading...
View Options

sys/netipsec/ipsec.h

Loading...
View Options

sys/netipsec/ipsec.c

Loading...
View Options

sys/netipsec/ipsec_output.c

Loading...