K 10
svn:author
V 2
ae
K 8
svn:date
V 27
2016-12-10T14:20:51.009261Z
K 7
svn:log
V 1755
Rework NAT-T support.

Remove UDP_ENCAP_ESPINUDP_NON_IKE UDP encapsulation support. This type
was introduced in draft-ietf-ipsec-udp-encaps-00 and then was removed in
draft-ietf-ipsec-udp-encaps-02. All these drafts were already expired
almost 15 years ago.

Now we support only one encapsulation type described in the RFC3948.
NAT-T support is enabled by default in IPSEC kernel, IPSEC_NAT_T option
is removed.

Move UDP encapsulation releated code into netipsec/udpencap.c.

Add udp_ipsec_input() function. Use it from UDP input path to check that
datagram needs decapsulation.

Add udp_ipsec_output() function to encapsulate outbound IP+ESP datagram
into UDP.

Add udp_ipsec_adjust_cksum() function to update TCP/UDP checksum for
decapsulated and decrypted inbound packet for transport mode SA.

Introduce net.inet.ipsec.natt_cksum_policy sysctl variable. It controls
how udp_ipsec_adjust_cksum() updates TCP/UDP checksum:
 0: use incremental checksum update using information about original
    addresses from IKE.
 1: fully recalculate checksum;
 2: for UDP reset checksum to zero, for TCP set mbuf's csum_flags to
    mark checksum as valid.

Due to changes in SADB now each SA has unique SPI. Thus even when several
peers are behind the same NAT, they all will have different SPI and we
don't need to keep ports in the SAIDX. Remove all such ports checks and
all XXX comments related to NAT-T from key.c. Instead add big comment
that describes how NAT-T support implemented and where the kernel expects
NAT-T extension headers.

Introduce "struct secnatt {}" that contains all information related to
NAT-T, allocate it by demand if IKEd has determined presence of NAT.
Add support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY
messages.

END