| Message ID | b604dc470c708e1e70c954f1513e4b461531e7cc.1698136108.git.antony.antony@secunet.com (mailing list archive) |
|---|---|
| State | RFC |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [RFC,ipsec-next] udpencap: Remove Obsolete UDP_ENCAP_ESPINUDP_NON_IKE Support | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
Antony Antony <antony.antony@secunet.com> wrote: > The UDP_ENCAP_ESPINUDP_NON_IKE mode, introduced into the Linux kernel > in 2004 [2], has remained inactive and obsolete for an extended period. > > This mode was originally defined in an early version of an IETF draft > [1] from 2001. By the time it was integrated into the kernel in 2004 [2], > it had already been replaced by UDP_ENCAP_ESPINUDP [3] in later > versions of draft-ietf-ipsec-udp-encaps, particularly in version 06. > > Over time, UDP_ENCAP_ESPINUDP_NON_IKE has lost its relevance, with no > known use cases. > > With this commit, we remove support for UDP_ENCAP_ESPINUDP_NON_IKE, > simplifying the code base and eliminating unnecessary complexity. > > References: > [1] https://datatracker.ietf.org/doc/html/draft-ietf-ipsec-udp-encaps-00.txt > > [2] Commit that added UDP_ENCAP_ESPINUDP_NON_IKE to the Linux historic > repository. > > Author: Andreas Gruenbacher <agruen@suse.de> > Date: Fri Apr 9 01:47:47 2004 -0700 > > [IPSEC]: Support draft-ietf-ipsec-udp-encaps-00/01, some ipec impls need it. > > [3] Commit that added UDP_ENCAP_ESPINUDP to the Linux historic > repository. > > Author: Derek Atkins <derek@ihtfp.com> > Date: Wed Apr 2 13:21:02 2003 -0800 > > [IPSEC]: Implement UDP Encapsulation framework. > > Should I leave the '#define UDP_ENCAP_ESPINUDP_NON_IKE' in the uapi/linux/udp.h? > since it is a chnage to ABI? Yes, but you can add e.g. append "(obsolete)" or "(not supported anymore)" or something like that to the trailing comment. And you could wrap it in "#ifndef __KERNEL__" to have build breakage if anytning in the kernel tries to make use of it. Patch LGTM.
On Tue, 24 Oct 2023, Antony Antony via Devel wrote: > The UDP_ENCAP_ESPINUDP_NON_IKE mode, introduced into the Linux kernel > in 2004 [2], has remained inactive and obsolete for an extended period. Thanks for doing this. I can confirm libreswan does not support this anymore as of October 14, 2020 but in reality hasn't supported this since KLIPS was obsoleted, which was before the first libreswan release in 2013. On RHEL/fedora this was never supported. Paul
On Tue, Oct 24, 2023 at 4:42 AM Antony Antony <antony.antony@secunet.com> wrote: > > The UDP_ENCAP_ESPINUDP_NON_IKE mode, introduced into the Linux kernel > in 2004 [2], has remained inactive and obsolete for an extended period. > > This mode was originally defined in an early version of an IETF draft > [1] from 2001. By the time it was integrated into the kernel in 2004 [2], > it had already been replaced by UDP_ENCAP_ESPINUDP [3] in later > versions of draft-ietf-ipsec-udp-encaps, particularly in version 06. > > Over time, UDP_ENCAP_ESPINUDP_NON_IKE has lost its relevance, with no > known use cases. I don't know how important this is, but a quick online search brought up one package: https://github.com/rdratlos/racoon-ipsec-tools.git Behind #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01), so probably there unused too.
On Tue, 24 Oct 2023, Willem de Bruijn via Devel wrote: > I don't know how important this is, but a quick online search brought > up one package: https://github.com/rdratlos/racoon-ipsec-tools.git > > Behind #if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01), so > probably there unused too. Also: https://ipsec-tools.sourceforge.net/ Important Note The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative! There are known unfixed CVEs in that codebase. While Apple and Android have their own clones of this code for IKEv1, even basically all 20+ year old IKEv1 clients support the draft 02/03/05 versions that obsoletes the 00/01 draft code. Paul
diff --git a/include/uapi/linux/udp.h b/include/uapi/linux/udp.h index 4828794efcf8..1516f53698e0 100644 --- a/include/uapi/linux/udp.h +++ b/include/uapi/linux/udp.h @@ -36,7 +36,6 @@ struct udphdr { #define UDP_GRO 104 /* This socket can receive UDP GRO packets */ /* UDP encapsulation types */ -#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */ #define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-06 */ #define UDP_ENCAP_L2TPINUDP 3 /* rfc2661 */ #define UDP_ENCAP_GTP0 4 /* GSM TS 09.60 */ diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 2be2d4922557..f6ab7eef1513 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -347,7 +347,6 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, __be16 dport) { struct udphdr *uh; - __be32 *udpdata32; unsigned int len; len = skb->len + esp->tailen - skb_transport_offset(skb); @@ -362,12 +361,6 @@ static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb, *skb_mac_header(skb) = IPPROTO_UDP; - if (encap_type == UDP_ENCAP_ESPINUDP_NON_IKE) { - udpdata32 = (__be32 *)(uh + 1); - udpdata32[0] = udpdata32[1] = 0; - return (struct ip_esp_hdr *)(udpdata32 + 2); - } - return (struct ip_esp_hdr *)(uh + 1); } @@ -423,7 +416,6 @@ static int esp_output_encap(struct xfrm_state *x, struct sk_buff *skb, switch (encap_type) { default: case UDP_ENCAP_ESPINUDP: - case UDP_ENCAP_ESPINUDP_NON_IKE: esph = esp_output_udp_encap(skb, encap_type, esp, sport, dport); break; case TCP_ENCAP_ESPINTCP: @@ -773,7 +765,6 @@ int esp_input_done2(struct sk_buff *skb, int err) source = th->source; break; case UDP_ENCAP_ESPINUDP: - case UDP_ENCAP_ESPINUDP_NON_IKE: source = uh->source; break; default: @@ -1177,9 +1168,6 @@ static int esp_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack) case UDP_ENCAP_ESPINUDP: x->props.header_len += sizeof(struct udphdr); break; - case UDP_ENCAP_ESPINUDP_NON_IKE: - x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32); - break; #ifdef CONFIG_INET_ESPINTCP case TCP_ENCAP_ESPINTCP: /* only the length field, TCP encap is done by diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 7fdc250e0679..04c5b77f555c 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2688,8 +2688,6 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname, #ifdef CONFIG_XFRM case UDP_ENCAP_ESPINUDP: set_xfrm_gro_udp_encap_rcv(val, sk->sk_family, sk); - fallthrough; - case UDP_ENCAP_ESPINUDP_NON_IKE: #if IS_ENABLED(CONFIG_IPV6) if (sk->sk_family == AF_INET6) WRITE_ONCE(up->encap_rcv, diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index 42879c5e026a..7a2b16aef71e 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c @@ -113,19 +113,6 @@ static int __xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb, bool pull /* Must be an IKE packet.. pass it through */ return 1; break; - case UDP_ENCAP_ESPINUDP_NON_IKE: - /* Check if this is a keepalive packet. If so, eat it. */ - if (len == 1 && udpdata[0] == 0xff) { - return -EINVAL; - } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) && - udpdata32[0] == 0 && udpdata32[1] == 0) { - - /* ESP Packet with Non-IKE marker */ - len = sizeof(struct udphdr) + 2 * sizeof(u32); - } else - /* Must be an IKE packet.. pass it through */ - return 1; - break; } /* At this point we are sure that this is an ESPinUDP packet, diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index fddd0cbdede1..08d71131fd7b 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -383,7 +383,6 @@ static struct ip_esp_hdr *esp6_output_udp_encap(struct sk_buff *skb, __be16 dport) { struct udphdr *uh; - __be32 *udpdata32; unsigned int len; len = skb->len + esp->tailen - skb_transport_offset(skb); @@ -398,12 +397,6 @@ static struct ip_esp_hdr *esp6_output_udp_encap(struct sk_buff *skb, *skb_mac_header(skb) = IPPROTO_UDP; - if (encap_type == UDP_ENCAP_ESPINUDP_NON_IKE) { - udpdata32 = (__be32 *)(uh + 1); - udpdata32[0] = udpdata32[1] = 0; - return (struct ip_esp_hdr *)(udpdata32 + 2); - } - return (struct ip_esp_hdr *)(uh + 1); } @@ -459,7 +452,6 @@ static int esp6_output_encap(struct xfrm_state *x, struct sk_buff *skb, switch (encap_type) { default: case UDP_ENCAP_ESPINUDP: - case UDP_ENCAP_ESPINUDP_NON_IKE: esph = esp6_output_udp_encap(skb, encap_type, esp, sport, dport); break; case TCP_ENCAP_ESPINTCP: @@ -820,7 +812,6 @@ int esp6_input_done2(struct sk_buff *skb, int err) source = th->source; break; case UDP_ENCAP_ESPINUDP: - case UDP_ENCAP_ESPINUDP_NON_IKE: source = uh->source; break; default: @@ -1230,9 +1221,6 @@ static int esp6_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack) case UDP_ENCAP_ESPINUDP: x->props.header_len += sizeof(struct udphdr); break; - case UDP_ENCAP_ESPINUDP_NON_IKE: - x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32); - break; #ifdef CONFIG_INET6_ESPINTCP case TCP_ENCAP_ESPINTCP: /* only the length field, TCP encap is done by diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index ccf79b84c061..6e254cb64237 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c @@ -112,19 +112,6 @@ static int __xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb, bool pull /* Must be an IKE packet.. pass it through */ return 1; break; - case UDP_ENCAP_ESPINUDP_NON_IKE: - /* Check if this is a keepalive packet. If so, eat it. */ - if (len == 1 && udpdata[0] == 0xff) { - return -EINVAL; - } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) && - udpdata32[0] == 0 && udpdata32[1] == 0) { - - /* ESP Packet with Non-IKE marker */ - len = sizeof(struct udphdr) + 2 * sizeof(u32); - } else - /* Must be an IKE packet.. pass it through */ - return 1; - break; } /* At this point we are sure that this is an ESPinUDP packet,
The UDP_ENCAP_ESPINUDP_NON_IKE mode, introduced into the Linux kernel in 2004 [2], has remained inactive and obsolete for an extended period. This mode was originally defined in an early version of an IETF draft [1] from 2001. By the time it was integrated into the kernel in 2004 [2], it had already been replaced by UDP_ENCAP_ESPINUDP [3] in later versions of draft-ietf-ipsec-udp-encaps, particularly in version 06. Over time, UDP_ENCAP_ESPINUDP_NON_IKE has lost its relevance, with no known use cases. With this commit, we remove support for UDP_ENCAP_ESPINUDP_NON_IKE, simplifying the code base and eliminating unnecessary complexity. References: [1] https://datatracker.ietf.org/doc/html/draft-ietf-ipsec-udp-encaps-00.txt [2] Commit that added UDP_ENCAP_ESPINUDP_NON_IKE to the Linux historic repository. Author: Andreas Gruenbacher <agruen@suse.de> Date: Fri Apr 9 01:47:47 2004 -0700 [IPSEC]: Support draft-ietf-ipsec-udp-encaps-00/01, some ipec impls need it. [3] Commit that added UDP_ENCAP_ESPINUDP to the Linux historic repository. Author: Derek Atkins <derek@ihtfp.com> Date: Wed Apr 2 13:21:02 2003 -0800 [IPSEC]: Implement UDP Encapsulation framework. Should I leave the '#define UDP_ENCAP_ESPINUDP_NON_IKE' in the uapi/linux/udp.h? since it is a chnage to ABI? Signed-off-by: Antony Antony <antony.antony@secunet.com> --- include/uapi/linux/udp.h | 1 - net/ipv4/esp4.c | 12 ------------ net/ipv4/udp.c | 2 -- net/ipv4/xfrm4_input.c | 13 ------------- net/ipv6/esp6.c | 12 ------------ net/ipv6/xfrm6_input.c | 13 ------------- 6 files changed, 53 deletions(-) -- 2.30.2