linux/net/xfrm
Steffen Klassert 6fa5ddcc67 xfrm: Don't allow esn with disabled anti replay detection
Unlike the standard case, disabled anti replay detection needs some
nontrivial extra treatment on ESN. RFC 4303 states:

Note: If a receiver chooses to not enable anti-replay for an SA, then
the receiver SHOULD NOT negotiate ESN in an SA management protocol.
Use of ESN creates a need for the receiver to manage the anti-replay
window (in order to determine the correct value for the high-order
bits of the ESN, which are employed in the ICV computation), which is
generally contrary to the notion of disabling anti-replay for an SA.

So return an error if an ESN state with disabled anti replay detection
is inserted for now and add the extra treatment later if we need it.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-10 15:03:34 -07:00
..
Kconfig
Makefile xfrm: Move IPsec replay detection functions to a separate file 2011-03-13 20:22:30 -07:00
xfrm_algo.c xfrm: Pass name as const to xfrm_*_get_byname(). 2011-02-27 23:04:45 -08:00
xfrm_hash.c
xfrm_hash.h xfrm: Const'ify address args to hash helpers. 2011-02-23 23:07:42 -08:00
xfrm_input.c xfrm: Move the test on replay window size into the replay check functions 2011-03-28 23:34:51 -07:00
xfrm_ipcomp.c
xfrm_output.c dst: Clone child entry in skb_dst_pop 2011-03-27 17:55:01 -07:00
xfrm_policy.c xfrm: Assign the inner mode output function to the dst entry 2011-05-10 15:03:34 -07:00
xfrm_proc.c
xfrm_replay.c xfrm: Don't allow esn with disabled anti replay detection 2011-05-10 15:03:34 -07:00
xfrm_state.c xfrm: Assign esn pointers when cloning a state 2011-03-28 23:34:52 -07:00
xfrm_sysctl.c
xfrm_user.c xfrm: Check for the new replay implementation if an esn state is inserted 2011-04-26 12:46:04 -07:00