[Bug 1540886] [NEW] xfrm and fwmark do not work on VXLAN xmit

Atzm Watanabe Tue, 02 Feb 2016 04:01:26 -0800

Public bug reported:

On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark 
do not work on VXLAN xmit.
This issue was fixed on upstream kernel: 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=239fb791d4ee194740e69fe9694f58ec404d1689


I think the above patch should be backported because this may cause serious 
problems including security issues.
For example, outgoing VXLAN packet will be sent without encryption even if 
IPsec security policy is configured properly.
As the result, the packet which should be encrypted can be snooped.

How to reproduce:

When using ipsec-tools (for minimum reproducing steps):

--- Node-A
# modprobe esp4
# modprobe af_key
# modprobe xfrm4_mode_transport
# setkey -c <<EOL
> flush;
> spdflush;
> add <Node-A> <Node-B> esp 0x201 -E 3des-cbc 
> 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
> add <Node-B> <Node-A> esp 0x301 -E 3des-cbc 
> 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
> spdadd <Node-A> <Node-B> udp -P out ipsec esp/transport//require;
> spdadd <Node-B> <Node-A> udp -P in  ipsec esp/transport//require;
> EOL
# ip link add vxlan100 type vxlan id 100 remote <Node-B>
# ip addr add 1.1.1.1/24 dev vxlan100
# ip link set vxlan100 up

--- Node-B
# modprobe esp4
# modprobe af_key
# modprobe xfrm4_mode_transport
# setkey -c <<EOL
> flush;
> spdflush;
> add <Node-A> <Node-B> esp 0x201 -E 3des-cbc 
> 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
> add <Node-B> <Node-A> esp 0x301 -E 3des-cbc 
> 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
> spdadd <Node-B> <Node-A> udp -P out ipsec esp/transport//require;
> spdadd <Node-A> <Node-B> udp -P in  ipsec esp/transport//require;
> EOL
# ip link add vxlan100 type vxlan id 100 remote <Node-A>
# ip addr add 1.1.1.2/24 dev vxlan100
# ip link set vxlan100 up
# ping 1.1.1.1

Then packets which is encapsulated with VXLAN header will be shown in
tcpdump, but they must be ESP packets.

** Affects: linux-lts-vivid (Ubuntu)
     Importance: Undecided
         Status: New

** Package changed: apport (Ubuntu) => linux-lts-vivid (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1540886

Title:
  xfrm and fwmark do not work on VXLAN xmit

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-lts-vivid/+bug/1540886/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1540886] [NEW] xfrm and fwmark do not work on VXLAN xmit

Reply via email to