[Kernel-packages] [Bug 1540886] Re: xfrm and fwmark do not work on VXLAN xmit
Thank you for the advice. I tried LTS Enablement Stack (linux-image-generic-lts-wily) and it worked fine to me. So I don't need a backport. I mark the issue status Invalid. Thank you again! ** Changed in: linux (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1540886 Title: xfrm and fwmark do not work on VXLAN xmit Status in linux package in Ubuntu: Invalid Bug description: On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark do not work on VXLAN xmit. This issue was fixed on upstream kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=239fb791d4ee194740e69fe9694f58ec404d1689 I think the above patch should be backported because this may cause serious problems including security issues. For example, outgoing VXLAN packet will be sent without encryption even if IPsec security policy is configured properly. As the result, the packet which should be encrypted can be snooped. How to reproduce: When using ipsec-tools (for minimum reproducing steps): --- Node-A # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.1/24 dev vxlan100 # ip link set vxlan100 up --- Node-B # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.2/24 dev vxlan100 # ip link set vxlan100 up # ping 1.1.1.1 Then packets which is encapsulated with VXLAN header will be shown in tcpdump, but they must be ESP packets. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1540886/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1540886] Re: xfrm and fwmark do not work on VXLAN xmit
Hi, Thank you for the reply. This problem can be reproduced on 14.04 LTS (3.13.0-76-generic). But because the bug has fixed in upstream kernel since 4.2, the problem is not caused on 15.10 (4.2.0-30-generic). I have not try to reproduce on 12.04 LTS yet, but if the kernel version is earlier than 4.2, the problem will be reproduced probably. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1540886 Title: xfrm and fwmark do not work on VXLAN xmit Status in linux package in Ubuntu: Incomplete Bug description: On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark do not work on VXLAN xmit. This issue was fixed on upstream kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=239fb791d4ee194740e69fe9694f58ec404d1689 I think the above patch should be backported because this may cause serious problems including security issues. For example, outgoing VXLAN packet will be sent without encryption even if IPsec security policy is configured properly. As the result, the packet which should be encrypted can be snooped. How to reproduce: When using ipsec-tools (for minimum reproducing steps): --- Node-A # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.1/24 dev vxlan100 # ip link set vxlan100 up --- Node-B # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.2/24 dev vxlan100 # ip link set vxlan100 up # ping 1.1.1.1 Then packets which is encapsulated with VXLAN header will be shown in tcpdump, but they must be ESP packets. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1540886/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1540886] [NEW] xfrm and fwmark do not work on VXLAN xmit
Public bug reported: On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark do not work on VXLAN xmit. This issue was fixed on upstream kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=239fb791d4ee194740e69fe9694f58ec404d1689 I think the above patch should be backported because this may cause serious problems including security issues. For example, outgoing VXLAN packet will be sent without encryption even if IPsec security policy is configured properly. As the result, the packet which should be encrypted can be snooped. How to reproduce: When using ipsec-tools (for minimum reproducing steps): --- Node-A # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc > 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.1/24 dev vxlan100 # ip link set vxlan100 up --- Node-B # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc > 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc > 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.2/24 dev vxlan100 # ip link set vxlan100 up # ping 1.1.1.1 Then packets which is encapsulated with VXLAN header will be shown in tcpdump, but they must be ESP packets. ** Affects: linux-lts-vivid (Ubuntu) Importance: Undecided Status: New ** Package changed: apport (Ubuntu) => linux-lts-vivid (Ubuntu) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-vivid in Ubuntu. https://bugs.launchpad.net/bugs/1540886 Title: xfrm and fwmark do not work on VXLAN xmit Status in linux-lts-vivid package in Ubuntu: New Bug description: On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark do not work on VXLAN xmit. This issue was fixed on upstream kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=239fb791d4ee194740e69fe9694f58ec404d1689 I think the above patch should be backported because this may cause serious problems including security issues. For example, outgoing VXLAN packet will be sent without encryption even if IPsec security policy is configured properly. As the result, the packet which should be encrypted can be snooped. How to reproduce: When using ipsec-tools (for minimum reproducing steps): --- Node-A # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.1/24 dev vxlan100 # ip link set vxlan100 up --- Node-B # modprobe esp4 # modprobe af_key # modprobe xfrm4_mode_transport # setkey -c < flush; > spdflush; > add esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; > add esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; > spdadd udp -P out ipsec esp/transport//require; > spdadd udp -P in ipsec esp/transport//require; > EOL # ip link add vxlan100 type vxlan id 100 remote # ip addr add 1.1.1.2/24 dev vxlan100 # ip link set vxlan100 up # ping 1.1.1.1 Then packets which is encapsulated with VXLAN header will be shown in tcpdump, but they must be ESP packets. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-lts-vivid/+bug/1540886/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
