Article 1004 at 08/11/27 18:15:03 From: jiabwang@redhat.com Subject: [users:01004] Re: [ipsec] report :"not supported at [ipv6readaesx1to2] "on freebsd 7.0

Index: [Article Count Order] [Thread]
Date: Thu, 27 Nov 2008 17:15:41 +0800
From: wang_jiabo <jiabwang@redhat.com>
Subject: [users:01004] Re: [ipsec]  report :"not supported at [ipv6readaesx1to2] "on freebsd 7.0
To: users@tahi.org
Message-Id: <492E653D.4090806@redhat.com>
In-Reply-To: <20081126105339.6d552a62.akisada@tahi.org>
References: <492A5EFD.3050103@redhat.com> <20081126105339.6d552a62.akisada@tahi.org>
X-Mail-Count: 01004

Yukiyo Akisada wrote:
> Wang,
>
> It seems that FreeBSD kernel stops to support AES-XCBC-MAC-96
> even when setkey still supports AES-XCBC-MAC-96.
>
> Please refer to
> <http://www.tahi.org/logo/ipsec/results/end_node/IPsec_Self_Test_P2_1-0-7/ipsec.p2/11.html>.
>
> This is old test result but you can see AES-XCBC-MAC-96 worked on FreeBSD 5.4-RELEASE-p8.
>
> In that time, FreeBSD uses the source code from KAME.
> That was </usr/src/sys/netinet6/ah_core.c>.
>
> This reference is from FreeBSD 6.1-RELEASE,
> but it still has SADB_X_AALG_AES_XCBC_MAC case.
>
>     199 const struct ah_algorithm *
>     200 ah_algorithm_lookup(idx)
>     201     int idx;
>     202 {
>     203
>     204     switch (idx) {
>     205     case SADB_AALG_MD5HMAC:
>     206         return &ah_algorithms[0];
>     207     case SADB_AALG_SHA1HMAC:
>     208         return &ah_algorithms[1];
>     209     case SADB_X_AALG_MD5:
>     210         return &ah_algorithms[2];
>     211     case SADB_X_AALG_SHA:
>     212         return &ah_algorithms[3];
>     213     case SADB_X_AALG_NULL:
>     214         return &ah_algorithms[4];
>     215     case SADB_X_AALG_SHA2_256:
>     216         return &ah_algorithms[5]; 
>     217     case SADB_X_AALG_SHA2_384:
>     218         return &ah_algorithms[6]; 
>     219     case SADB_X_AALG_SHA2_512:
>     220         return &ah_algorithms[7]; 
>     221     case SADB_X_AALG_RIPEMD160HMAC:
>     222         return &ah_algorithms[8];
>     223     case SADB_X_AALG_AES_XCBC_MAC:
>     224         return &ah_algorithms[9];
>     225     case SADB_X_AALG_TCP_MD5:
>     226         return &ah_algorithms[10];
>     227     default:
>     228         return NULL;
>     229     }
>     230 }
>
> In the other hand,
> FreeBSD 7.0-RELEASE uses </usr/src/sys/netipsec/xform_ah.c> for ah_algorithm_lookup() function.
>
>     110 struct auth_hash *  
>     111 ah_algorithm_lookup(int alg)
>     112 {
>     113     if (alg >= AH_ALG_MAX) 
>     114         return NULL;
>     115     switch (alg) {
>     116     case SADB_X_AALG_NULL:  
>     117         return &auth_hash_null;
>     118     case SADB_AALG_MD5HMAC:
>     119         return &auth_hash_hmac_md5_96;
>     120     case SADB_AALG_SHA1HMAC:
>     121         return &auth_hash_hmac_sha1_96;
>     122     case SADB_X_AALG_RIPEMD160HMAC:
>     123         return &auth_hash_hmac_ripemd_160_96;
>     124     case SADB_X_AALG_MD5:
>     125         return &auth_hash_key_md5;
>     126     case SADB_X_AALG_SHA:
>     127         return &auth_hash_key_sha1;
>     128     case SADB_X_AALG_SHA2_256:
>     129         return &auth_hash_hmac_sha2_256;
>     130     case SADB_X_AALG_SHA2_384:
>     131         return &auth_hash_hmac_sha2_384;
>     132     case SADB_X_AALG_SHA2_512:
>     133         return &auth_hash_hmac_sha2_512;
>     134     }
>     135     return NULL;   
>     136 }
>
> Now, you can understand that SADB_X_AALG_AES_XCBC_MAC case was removed.
>
> Thanks,
>
>
> On Mon, 24 Nov 2008 15:59:57 +0800
> wang_jiabo <jiabwang@redhat.com> wrote:
>
>   
>> Hello, all:
>>     I am testing ipsec interoperability cases.
>> when I configure following ipsec.conf file  on FreeBSD 7.0:
>>
>> *add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
>> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E 3des-cbc 
>> "ipv6readylogo3descbc1to2" -A aes-xcbc-mac "ipv6readaesx1to2"; *
>>
>> then run: * setkey -f /etc/ipsec.conf*
>> system report :  *line 4 : Not supported at [ipv6readaesx1to2] 
>>                            parse failed, line 4.
>> *
>>
>> if I use :*
>> *
>>
>> *add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
>> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x2000 -m transport -E 3des-cbc 
>> "ipv6readylogo3descbc1to2" -A hmac-sha1 "ipv6readaesx1to2";
>> *it is ok. no failed message.
>> it is ok on RedHat OS.
>>
>> could you help me find where problem is and how to resolve.  
>> Thanks
>> Wang JiaBo
>>
>> *
>> *
>>
>>
>>  
>
>
>   
Thanks Yukiyo Akisada :
   I use freebsd 6.3 and installed the ipsec-tools.
that all the ipsec setkey passed for Interoperability cases.
   Thank you very much your reply

Wang JiaBo