[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Christophe Gouault christophe.gouault at 6wind.com
Mon Aug 21 14:41:02 CEST 2017


Hello strongSwan maintainers,

I am quite concerned by the following commit, that appeared in strongSwan
5.5.2:

067fd2c69c25 ("child-sa: Do not install mark on inbound kernel SA")

As the title states, this patch prevents charon from setting the mark of the
inbound IPsec SA, while still marking the SPs and the outbound SA. This
behavioral change was done as a workaround for route-based VPN to work, and
assumed that it did not break other uses of the mark.

The patch results in several issues, by increasing order of severity:

1/ this violates strongSwan's documentation:

   mark_in = <value>[/<mask>]

     sets an XFRM mark in the inbound IPsec SA and policy. If the mask is
     missing then a default mask of 0xffffffff is assumed.

2/ this breaks the symmetry and coherency of SA and SP configuration.

The inbound SA is the only object that does not wear a mark. The mark is
precisely designed to convey information and to link objects together.

3/ this changes strongSwan's behavior with no backward compatibility option.

So I propose to write a patch to avoid changing the default behavior of
mark_in, while offering the ability to not mark the SA:

the most flexible solution would be to enable to split mark_in/mark_out into
mark_in_sa/mark_in_sp/mark_out_sa/mark_out_sp, just like "mark" may today be
split into "mark_in" and "mark_out".

That way, one would be free to finely mark SPs and/or SAs in conformance to
one's needs. The old behavior would be preserved by default.

Best Regards,
Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170821/7facf116/attachment.html>


More information about the Dev mailing list