[Swan-dev] regression newoe-02-klips rasie some questions.

Paul Wouters paul at nohats.ca
Mon Jun 26 20:40:38 UTC 2017

On Mon, 26 Jun 2017, Antony Antony wrote:

>> We should have rejected the ESP transform before getting to the AUTH
>> payload. We used to do this, and it did depend on the stack choice
>> because it checked the "registered" esp/ah algorithms, which are
>> also shown in "ipsec status".
> in this test case the initiator, road, klips stack, is proposing
> GCM to the responder east, netkey stack. When east respond with gcm road can
> not install SA.

A similar thing is true for initiating. We should not propose any
transform that is not "registered" for ESP/AH.

>>         /*
>>          * also open the pfkey socket, since we need it to get a list of
>>          * algorithms.
> is this comment still true? with crypto api, post 2010? or a dated comment.
> Above part go back to 2007. Next lines are added in 2012. I would imagine
> netlink can get a list such as the /proc/crypto

There might be a native call, but we currently don't know about it. It
would be good if we can skip relying on the PFKEY call since the kernel
deems it legacy.


More information about the Swan-dev mailing list