Project

General

Profile

Feature #1132

Pass SPIs of IPsec SAs into updown script

Added by Noel Kuntze about 5 years ago. Updated 29 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
25.09.2015
Due date:
Estimated time:
Resolution:
Won't fix

Description

Hi,

I'd like to be able to get the SPIs of the installed SAs inside the updown script to do fancy
iptables rules with them. I need this to assign marks to incoming IPsec packets, so
the kernel can match the different packet to the IPsec SA and SP in the SAD and SPD.
Doing that would enable users to have several CHILD_SAs between two peers
and assign different marks to them. Matching on the REQUEST_ID does not work,
because that value is not present in the IPsec packet and only in the SA or SP in the SAD and SPD.

Kind regards,
Noel

History

#1 Updated by Tobias Brunner about 5 years ago

  • Status changed from New to Feedback

I'd like to be able to get the SPIs of the installed SAs inside the updown script to do fancy iptables rules with them.

Since the script is not called when a CHILD_SA is rekeyed the SPIs would only be valid until the first rekeying.

I need this to assign marks to incoming IPsec packets, so the kernel can match the different packet to the IPsec SA and SP in the SAD and SPD.
Doing that would enable users to have several CHILD_SAs between two peers and assign different marks to them.

So why not assign the marks via the config? Refer to the ikev2/net2net-psk-dscp scenario for an example.

#2 Updated by Noel Kuntze about 5 years ago

Tobias Brunner wrote:

Since the script is not called when a CHILD_SA is rekeyed the SPIs would only be valid until the first rekeying.

This is one additional issue. Is the updown script called on rekeying events, too?

So why not assign the marks via the config? Refer to the ikev2/net2net-psk-dscp scenario for an example.

I'm using mark_in and mark_out. Those only install additional mark values onto the policies and the states, but do not
mark the packets in Netfilter, so the policies and states can be matched. This is what I want to do. In my scenario,
I have several CHILD_SAs between the two peers. Every CHILD_SA has a different pair of marks. But I cannot tell
them apart in Netfilter, because the only thing that tells them apart is the REQID. But that's not something that
is in the ESP packet and hence I can't match on that value to mark the packets correctly.

#3 Updated by Tobias Brunner about 5 years ago

Since the script is not called when a CHILD_SA is rekeyed the SPIs would only be valid until the first rekeying.

This is one additional issue. Is the updown script called on rekeying events, too?

As I said, no. The updown plugin and script exist mainly for legacy reasons, in particular the leftfirewall=yes feature. You might want to look into the child-updown and child-rekey events exposed via VICI.

So why not assign the marks via the config? Refer to the ikev2/net2net-psk-dscp scenario for an example.

I'm using mark_in and mark_out. Those only install additional mark values onto the policies and the states, but do not
mark the packets in Netfilter, so the policies and states can be matched.

In the scenario above Andreas uses different DSCP values in the IP header to mark the packets and in ikev2/nat-rw-mark he uses NAT rules to differentiate between the two SAs (source:testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown). You might be able to do something similar. Otherwise, I'd recommend you use the more verbose VICI events.

#4 Updated by Noel Kuntze about 5 years ago

Tobias Brunner wrote:

You might want to look into the child-updown and child-rekey events exposed via VICI.

So why not assign the marks via the config? Refer to the ikev2/net2net-psk-dscp scenario for an example.

I'm using mark_in and mark_out. Those only install additional mark values onto the policies and the states, but do not
mark the packets in Netfilter, so the policies and states can be matched.

In the scenario above Andreas uses different DSCP values in the IP header to mark the packets and in ikev2/nat-rw-mark he uses NAT rules to differentiate between the two SAs (source:testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown). You might be able to do something similar. Otherwise, I'd recommend you use the more verbose VICI events.

Hmh. I looked at (source:testing/tests/ikev2/net2net-psk-dscp/pretest.dat) and saw that indeed DSCP marks are used. That wasn't obvious from the iptables -L. Maybe replace the output of iptables -L in the testing scenarios with iptables-save?

I'll see what I can use to make it work, currently DSCP marks work for my LAN internal scenario, but it won't work for the WAN. I think I need to write a python script for that.

Thank you for your help.

#5 Updated by Tobias Brunner 29 days ago

  • Status changed from Feedback to Closed
  • Resolution set to Won't fix

Also available in: Atom PDF