Libreswan-xfrm-kernel-support: Difference between revisions
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
= Linux XFRM support = | = Linux XFRM support = | ||
== | == Recommended set for 5.0 === | ||
== 4.19 or later | == XFRMI 4.19 or later == | ||
== Mobike CONFIG_XFRM_MIGRATE == | |||
Linux kernel support mobike for ages possibly since 2.x. However many distributions has CONFIG_XFRM_MIGRATE set to no. One could argue mobike is securtiy risk hence it should be disabled. However, it would affect a small set of users. And those users are possibly tweaking the kernel to their needs. | Linux kernel support mobike for ages possibly since 2.x. However many distributions has CONFIG_XFRM_MIGRATE set to no. One could argue mobike is securtiy risk hence it should be disabled. However, it would affect a small set of users. And those users are possibly tweaking the kernel to their needs. | ||
| Line 12: | Line 12: | ||
A possible security issue - some one create a IPsec connection to a LAN while physically(or wifi) connected to an administratively allowed network. Say special project allows VPN only when you present at a site. When MOBIKE is administratively allowed in kernel and libreswan, one could move this IPsec/VPN to their 3G connection and take the IPsec/VPN connection outside the permitted LAN, say home. Now this VPN keeps connection from any where. Many users don't have such setup. Because of that I argue the default kernel of distributions should allow MOBIKE. | A possible security issue - some one create a IPsec connection to a LAN while physically(or wifi) connected to an administratively allowed network. Say special project allows VPN only when you present at a site. When MOBIKE is administratively allowed in kernel and libreswan, one could move this IPsec/VPN to their 3G connection and take the IPsec/VPN connection outside the permitted LAN, say home. Now this VPN keeps connection from any where. Many users don't have such setup. Because of that I argue the default kernel of distributions should allow MOBIKE. | ||
== | == isssues noticed in the wild === | ||
=== CONFIG_XFRM_STATISTICS 3.28 === | === CONFIG_XFRM_STATISTICS 3.28 === | ||
Some distributions, as of may 2019, #CONFIG_XFRM_STATISTICS is not set. This cause a run time error with libreswan "No XFRM kernel interface detected". You need a couple of patches or enable this in kernel. This is specific to libreswan 3.28. 3.29 has fixes for this issue. However, it is really good idea to enable | Some distributions, as of may 2019, #CONFIG_XFRM_STATISTICS is not set. This cause a run time error with libreswan "No XFRM kernel interface detected". You need a couple of patches or enable this in kernel. This is specific to libreswan 3.28. 3.29 has fixes for this issue. However, it is really good idea to enable | ||
== Distribtions Default configration == | == Distribtions Default configration == | ||
* [https://salsa.debian.org/kernel-team/linux/blob/master/debian/config/amd64/config | Debian AMD64 config snippet] | * [https://salsa.debian.org/kernel-team/linux/blob/master/debian/config/amd64/config | Debian AMD64 config snippet] | ||
* [https://src.fedoraproject.org/rpms/kernel/blob/84dd8fe88279144ddb82168d1cc44117073ff07e/f/configs/fedora/generic/CONFIG_XFRM_INTERFACE|Fedora Snippet] | * [https://src.fedoraproject.org/rpms/kernel/blob/84dd8fe88279144ddb82168d1cc44117073ff07e/f/configs/fedora/generic/CONFIG_XFRM_INTERFACE|Fedora Snippet] | ||
* | * CentOS | ||
* OpenWRT MIPS BE | |||
Revision as of 12:10, 3 June 2019
Here are gory details for Linux kernel support that you may run into. One recurring theme when Linux Kernel IPsec get a new feature usually the default is "N". And the distributions take that. However, when librewan start using the new feature we or someone often need to chase the various distributions get this feature enabled. The challenge of this model, as far as I see, is the libreswan, a userland application, has no easy way to require a kernel config option to be enabled or disabled.
Linux XFRM support
Recommended set for 5.0 =
XFRMI 4.19 or later
Mobike CONFIG_XFRM_MIGRATE
Linux kernel support mobike for ages possibly since 2.x. However many distributions has CONFIG_XFRM_MIGRATE set to no. One could argue mobike is securtiy risk hence it should be disabled. However, it would affect a small set of users. And those users are possibly tweaking the kernel to their needs.
Mobike possible security issue
A possible security issue - some one create a IPsec connection to a LAN while physically(or wifi) connected to an administratively allowed network. Say special project allows VPN only when you present at a site. When MOBIKE is administratively allowed in kernel and libreswan, one could move this IPsec/VPN to their 3G connection and take the IPsec/VPN connection outside the permitted LAN, say home. Now this VPN keeps connection from any where. Many users don't have such setup. Because of that I argue the default kernel of distributions should allow MOBIKE.
isssues noticed in the wild =
CONFIG_XFRM_STATISTICS 3.28
Some distributions, as of may 2019, #CONFIG_XFRM_STATISTICS is not set. This cause a run time error with libreswan "No XFRM kernel interface detected". You need a couple of patches or enable this in kernel. This is specific to libreswan 3.28. 3.29 has fixes for this issue. However, it is really good idea to enable
Distribtions Default configration
- | Debian AMD64 config snippet
- Snippet
- CentOS
- OpenWRT MIPS BE