[Swan-dev] end.host_addr's port

Antony Antony antony at phenome.org
Fri Aug 23 12:27:27 UTC 2019 

yes too many organically grown workarounds. MOBIKE and NAT stretched these 
ideas quite a bit.

I  am just sharing few  bits I re-collect from MOBIKE work.
btw have you noticed pluto_port yet? It is used as initial value host_port.

On Thu, Aug 22, 2019 at 05:06:34PM -0400, Andrew Cagney wrote:
> I'm looking at:
> 
> struct end {
>        ip_address host_addr;
>         ip_subnet client;
>         bool has_client;
>         bool has_client_wildcard;
>         bool has_port_wildcard;
>         uint16_t host_port;             /* where the IKE port is */
>         uint16_t port;                  /* port number, if per-port keying */
> }
> 
> and am puzzled by .port vs .host_port and .client vs .host[addr].  My
> working theory was that things were paired:
> 
>    .client and .port (what IKEv2 calls a traffic selector)
>    .host_addr and .host_port (the IKE endpoint)

This theory sounds good, possibly over simplistic. It is missing the part 
dynamic change. The need copy from c to st and vice versa is complicated with 
MOBIKE. It touch what is in c and what is in st, especially for an 
instantiated connection.

for the record IKE is an IKEv2 termonlogy. during IKEv1 only days isakmp was 
popular.
 
> but, in the case of .host_addr, the code seems to be fighting itself
> over what the port should be.  For instance:
> 
> - in ikev2_ts.c the .host_addr's port is forced to the negotiated TS
> client port:
> 
>     c->spd.that.client = tmp_subnet_r;
>     c->spd.that.port = st->st_ts_that.startport;
>     c->spd.that.protocol = st->st_ts_that.ipprotoid;
>     setportof(htons(c->spd.that.port),
>           &c->spd.that.host_addr);
>     setportof(htons(c->spd.that.port),
>           &c->spd.that.client.addr);
> 
> - but then in state.c:mobike, it's forced to the sender's port
> (.sender has probably always had the port embedded in it).
> 
>         /* MOBIKE responder processing request */
>         c->spd.that.host_addr = md->sender;
>         c->spd.that.host_port = hportof(&md->sender);

My recollections are vague and I didn't double checked it in git master.

you need IKE port in a connection for two reasons. To survive a restart, 
short interruptions, say dpd. Second for output "ipsec status"?

Note when initiating a connection a call to set_state_ike_endpoints.

 set_state_ike_endpoints(st, c)
	st->st_remoteaddr = c->spd.that.host_addr;
	st->st_remoteport = c->spd.that.host_port;

While adding MOBIKE, Paul and I realized copying port and host_addr to c 
would be a limitation for a longer connection interruptions and restart.
However, we used a reasoning most use cases are only for right=%any. Those 
connections wouldn't initiate after say a dpd restart or when the other end
reboots.

The MOBIKE overwriting host_port and host_addr in c is a limitation!
In most use cases Libreswan is MOBIKE responder with right=%any so it sort 
of works. That is why you are seeing overwriting what is in c, which is 
confusing.

on the responder one odd bit for me is:
calls in  instantiate()
	port = htons(dst->port);
	setportof(port, &dst->host_addr);

> A look at *_raw_eroute() shows .host_port is ignored (I thought it was
> used, but it turns out that was only for prettying an error).
> 
> A look at .has_client shows more promise, the code seems to copy
> .host_addr into .client vis:
> 
>     /* default client to subnet containing only self
>      * XXX This may mean that the client's address family doesn't match
>      * tunnel_addr_family.
>      */
>     if (!c->spd.that.has_client)
>         addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
> 
> and, I I'm guessing, is assuming that /host_addr's port is still set
> to .port (the client port).

Also note the comparisons to pluto_port. 

I think we can delete some of them.
c->spd.this.port can go, use c->spd.this.client.addr.port instead

host_port can be ditched in favor of host_addr's port. This might be a bit 
invasive change in v1 and v2.

I wonder what to do with ikev2 ts, same information has multiple copies in 
st, and in c.

while we are at it, recent changes bc4d25c065b  #ifdef ENDPOINT_ADDRESS_PORT 
is a bit confusing to me. These started a while ago? 25bcb7f6cb0. Too many 
changes in flight.

More information about the Swan-dev mailing list