Did anyone ever use IPsec socket options?

Mon, 18 Apr 2011 06:24:43 -0700 

Hi,

did anyone except itojun ever use the IPsec socket options?

It currently only seems to be used by isakmpd/iked to bypass IPsec for
IKE traffic but I could not find any code that is using the other
modes like "require".

The attached diff is for testing only and is based on an old KAME ping
from itojun, see http://goo.gl/7xSAH for details.  I expected to see a
pfkey acquire message from the kernel but nothing happens - I did not
look at the kernel side yet.

It seems that the implementation was never finished but I'm wondering
if anyone knows the history or details behind it?

reyk

Index: ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.88
diff -u -p -r1.88 ping.c
--- ping.c      3 Jul 2010 04:44:51 -0000       1.88
+++ ping.c      18 Apr 2011 10:02:31 -0000
@@ -108,6 +108,7 @@ int options;
 #define        F_SO_JUMBO      0x1000
 #define        F_AUD_RECV      0x2000
 #define        F_AUD_MISS      0x4000
+#define F_ENCRYPT      0x8000
 
 /* multicast options */
 int moptions;
@@ -201,7 +202,7 @@ main(int argc, char *argv[])
        preload = 0;
        datap = &outpack[8 + sizeof(struct tvi)];
        while ((ch = getopt(argc, argv,
-           "DEI:LRS:c:defi:jl:np:qrs:T:t:V:vw:")) != -1)
+           "DEI:LRS:c:defi:jl:np:qrs:T:t:V:vw:X")) != -1)
                switch(ch) {
                case 'c':
                        npackets = (unsigned long)strtonum(optarg, 0,
@@ -326,6 +327,9 @@ main(int argc, char *argv[])
                                errx(1, "maxwait value is %s: %s",
                                    errstr, optarg);
                        break;
+               case 'X':
+                       options |= F_ENCRYPT;
+                       break;
                default:
                        usage();
                }
@@ -407,6 +411,13 @@ main(int argc, char *argv[])
                        options |= F_HDRINCL;
        }
 
+       if (options & F_ENCRYPT) {
+               int optval = IPSEC_LEVEL_REQUIRE;
+               int level = IP_ESP_TRANS_LEVEL; /* XXX _ESP_NETWORK_LEVEL */
+               (void)setsockopt(s, IPPROTO_IP, level, &optval,
+                   sizeof(optval));
+       }
+
        if (options & F_RROUTE && options & F_HDRINCL)
                errx(1, "-R option and -D or -T, or -t to unicast destinations"
                    " are incompatible");
@@ -1363,7 +1374,7 @@ void
 usage(void)
 {
        (void)fprintf(stderr,
-           "usage: ping [-DdEefLnqRrv] [-c count] [-I ifaddr] [-i wait]\n"
+           "usage: ping [-DdEefLnqRSrvX] [-c count] [-I ifaddr] [-i wait]\n"
            "\t[-l preload] [-p pattern] [-s packetsize] [-T tos] [-t ttl]\n"
            "\t[-V rtable] [-w maxwait] host\n");
        exit(1);

Reply via email to