Message ID | cover.1574685542.git.sd@queasysnail.net |
---|---|
Headers | show |
Series | ipsec: add TCP encapsulation support (RFC 8229) | expand |
On Mon, Nov 25, 2019 at 02:48:56PM +0100, Sabrina Dubroca wrote: > This patchset introduces support for TCP encapsulation of IKE and ESP > messages, as defined by RFC 8229 [0]. It is an evolution of what > Herbert Xu proposed in January 2018 [1] that addresses the main > criticism against it, by not interfering with the TCP implementation > at all. The networking stack now has infrastructure for this: TCP ULPs > and Stream Parsers. > > The first patches are preparation and refactoring, and the final patch > adds the feature. > > The main omission in this submission is IPv6 support. ESP > encapsulation over UDP with IPv6 is currently not supported in the > kernel either, as UDP encapsulation is aimed at NAT traversal, and NAT > is not frequently used with IPv6. > > Some of the code is taken directly, or slightly modified, from Herbert > Xu's original submission [1]. The ULP and strparser pieces are > new. This work was presented and discussed at the IPsec workshop and > netdev 0x13 conference [2] in Prague, last March. > > [0] https://tools.ietf.org/html/rfc8229 > [1] https://patchwork.ozlabs.org/patch/859107/ > [2] https://netdevconf.org/0x13/session.html?talk-ipsec-encap > > Changes since v6: > - fix sparse warning in patch 6/6 > > Changes since v5: > - rebase patch 1/6 on top of ipsec-next (conflict with commits > 7c422d0ce975 ("net: add READ_ONCE() annotation in > __skb_wait_for_more_packets()") and 3f926af3f4d6 ("net: use > skb_queue_empty_lockless() in busy poll contexts")) > > Changes since v4: > - prevent combining sockmap with espintcp, as this does not work > properly and I can't see a use case for it > > Changes since v3: > - fix sparse warning related to RCU tag on icsk_ulp_data > > Changes since v2: > - rename config option to INET_ESPINTCP and move it to > net/ipv4/Kconfig (patch 6/6) > > Changes since v1: > - drop patch 1, already present in the tree as commit bd95e678e0f6 > ("bpf: sockmap, fix use after free from sleep in psock backlog > workqueue") > - patch 1/6: fix doc error reported by kbuild test robot <lkp@intel.com> > - patch 6/6, fix things reported by Steffen Klassert: > - remove unneeded goto and improve error handling in > esp_output_tcp_finish > - clean up the ifdefs by providing dummy implementations of those > functions > - fix Kconfig select, missing NET_SOCK_MSG > > Sabrina Dubroca (6): > net: add queue argument to __skb_wait_for_more_packets and > __skb_{,try_}recv_datagram > xfrm: introduce xfrm_trans_queue_net > xfrm: add route lookup to xfrm4_rcv_encap > esp4: prepare esp_input_done2 for non-UDP encapsulation > esp4: split esp_output_udp_encap and introduce esp_output_encap > xfrm: add espintcp (RFC 8229) All applied to ipsec-next, thanks a lot Sabrina!