Extended and regular SADB_ACQUIREs should share address extension code
The Solaris/illumos modifications to PF_KEY (RFC 2367) involve a second type of SADB_ACQUIRE message: the extended ACQUIRE. The kernel emits a regular ACQUIRE from ESP if a packet needs ESP. The kernel emits a regular ACQUIRE for AH if a packet needs AH. If a packet needs both, the kernel first emits an ESP ACQUIRE, then when the packet reaches outbound AH processing, it emits an AH ACQUIRE.
An extended ACQUIRE has all required protocols (AH, ESP, or BOTH) that a given packet requires in one message. This is useful for IKEv1, as that's how IPsec SAs are generated during its Quick Mode exchange.
IKEv2, on the other hand, generates IPsec SAs one-protocol-at-a-time, like RFC 2367 specified. Due to historical concentration on IKEv1, regular ACQUIREs often didn't get bugfixes or other attention that extended ACQUIREs did. This issue tracks the merging common code between extended and regular ACQUIREs - effectively all of the message save the PROPOSAL extension or the X_EPROP (extended proposal) extension. #8381 is a prerequisite for this bug.
Updated by Electric Monk about 2 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit b7daf79982d77b491ef9662483cd4549e0e5da9a Author: Dan McDonald <firstname.lastname@example.org> Date: 2017-08-05T01:34:36.000Z 8529 Extended and regular SADB_ACQUIREs should share address extension code Portions contributed by: Bayard Bell <email@example.com> Reviewed by: C Fraire <firstname.lastname@example.org> Reviewed by: Jason King <email@example.com> Approved by: Richard Lowe <firstname.lastname@example.org>