xfrm and fwmark do not work on VXLAN xmit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Low
|
Unassigned |
Bug Description
On Ubuntu 15.04, kernel 3.19.0-49-generic has known issue that xfrm and fwmark do not work on VXLAN xmit.
This issue was fixed on upstream kernel: https:/
I think the above patch should be backported because this may cause serious problems including security issues.
For example, outgoing VXLAN packet will be sent without encryption even if IPsec security policy is configured properly.
As the result, the packet which should be encrypted can be snooped.
How to reproduce:
When using ipsec-tools (for minimum reproducing steps):
--- Node-A
# modprobe esp4
# modprobe af_key
# modprobe xfrm4_mode_
# setkey -c <<EOL
> flush;
> spdflush;
> add <Node-A> <Node-B> esp 0x201 -E 3des-cbc 0x7aeaca3f87d06
> add <Node-B> <Node-A> esp 0x301 -E 3des-cbc 0xf6ddb555acfd9
> spdadd <Node-A> <Node-B> udp -P out ipsec esp/transport/
> spdadd <Node-B> <Node-A> udp -P in ipsec esp/transport/
> EOL
# ip link add vxlan100 type vxlan id 100 remote <Node-B>
# ip addr add 1.1.1.1/24 dev vxlan100
# ip link set vxlan100 up
--- Node-B
# modprobe esp4
# modprobe af_key
# modprobe xfrm4_mode_
# setkey -c <<EOL
> flush;
> spdflush;
> add <Node-A> <Node-B> esp 0x201 -E 3des-cbc 0x7aeaca3f87d06
> add <Node-B> <Node-A> esp 0x301 -E 3des-cbc 0xf6ddb555acfd9
> spdadd <Node-B> <Node-A> udp -P out ipsec esp/transport/
> spdadd <Node-A> <Node-B> udp -P in ipsec esp/transport/
> EOL
# ip link add vxlan100 type vxlan id 100 remote <Node-A>
# ip addr add 1.1.1.2/24 dev vxlan100
# ip link set vxlan100 up
# ping 1.1.1.1
Then packets which is encapsulated with VXLAN header will be shown in tcpdump, but they must be ESP packets.
affects: | apport (Ubuntu) → linux-lts-vivid (Ubuntu) |
Atzm Watanabe, thank you for reporting this and helping make Ubuntu better.
As per https:/ /wiki.ubuntu. com/Releases, Ubuntu 15.04 is EOL as of February 4, 2016.
Is this reproducible with a supported release?