in linux-audit-02-ike-fail-ikev2 why is INITIATE to UNROUTED PERMANENT with NEGOTIATION=HOLD a no-op?

[cagney]

For instance, in linux-audit-02-ike-fail-ikev2:

| whack: start: initiate name='ikev2-failtest' remote='<null>' async=no (fd@0x7fbba391ffe8)
...
| "ikev2-failtest": routing: dispatch INITIATE to UNROUTED PERMANENT (initiate_connection_4_fab() +378 programs/pluto/initiate.c)
| priority calculation of is 1757393 (0x1ad0d1) base=1 portsw=2 protow=1, srcw=104 dstw=104 instw=1
| kernel_ops_policy_add() ADD+OUTBOUND installing negotiation kernel policy for permanent connection (initiate_connection_4_fab() +378 programs/pluto/initiate.c)
| kernel_ops_policy_add()   client=10.0.1.0/24->10.0.2.0/24 lifetime=0s
| kernel_ops_policy_add()   sa_marks=out:0/0,in:0/0
| kernel_ops_policy_add()   policy=0.0.0.0=>0.0.0.0,NEGOTIATION=HOLD,priority=1757393,TRANSPORT[ESP@0(ALL)]
| kernel_ops_policy_add() SPI_HOLD implemented as no-op
| "ikev2-failtest": routing: UNROUTED PERMANENT -> UNROUTED_NEGOTIATION #0 (unrouted_permanent_to_unrouted_negotiation() +360 programs/pluto/routing.c)

[cagney]

Here's how the problem manifests itself:

| "ikev2-failtest": routing: dispatch INITIATE to UNROUTED PERMANENT (initiate_connection_4_fab() +378 programs/pluto/initiate.c)
| "ikev2-failtest": routing: UNROUTED PERMANENT -> UNROUTED_NEGOTIATION #0 (unrouted_permanent_to_unrouted_negotiation() +360 programs/pluto/routing.c)
"ikev2-failtest" #1: initiating IKEv2 connection
"ikev2-failtest" #1: sent IKE_SA_INIT request to 192.1.2.23:500
"ikev2-failtest" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
"ikev2-failtest" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
"ikev2-failtest" #1: encountered fatal error in state STATE_V2_PARENT_I2
"ikev2-failtest" #1: deleting IKE SA (PARENT_I2) aged 0.253643s and NOT sending notification
"ikev2-failtest" #1: IMPAIR: skipping revival of connection that is supposed to remain up
"ikev2-failtest": terminating SAs using this connection
| "ikev2-failtest": routing: dispatch UNROUTE to UNROUTED_NEGOTIATION PERMANENT (release_connection() +196 programs/pluto/connections.c)
ERROR: "ikev2-failtest": kernel: xfrm XFRM_MSG_DELPOLICY delete response for flow (out): No such file or directory (errno 2)

because the negotiation shunt is a no-op the code trips up when it tries to delete it

[cagney]

Here's the command (where ikev2-failtest is permanent) with commentary:

ikev2-failtest is UNROUTED ...

west# ipsec auto --up ikev2-failtest # sanitize-retransmits
1v2 "ikev2-failtest" #1: initiating IKEv2 connection
1v2 "ikev2-failtest" #1: sent IKE_SA_INIT request to 192.1.2.23:500

in mainline, ikev2-failtest is still UNROUTED.

Should the UNROUTED permanent connection instead transition to UNROUTED_NEGOTIATION (nee UNROUTED_HOLD) while negotiating? And if yes, should a policy be installed? Currently NEGOTIATION=HOLD is a no-op.

1v2 "ikev2-failtest" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "ikev2-failtest" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
036 "ikev2-failtest" #1: encountered fatal error in state STATE_V2_PARENT_I2

at this point things fail so the code tries to tear down the policy.

002 "ikev2-failtest" #1: deleting IKE SA (PARENT_I2) and NOT sending notification
002 "ikev2-failtest" #1: IMPAIR: skipping revival of connection that is supposed to remain up
ERROR: "ikev2-failtest": kernel: xfrm XFRM_MSG_DELPOLICY delete response for flow (out): No such file or directory (errno 2)

[cagney]

this, from old code was the intent:

			/*
			 * We don't know how to implement %hold, but it is okay.
			 * When we need a hold, the kernel XFRM acquire state
			 * will do the job (by dropping or holding the packet)
			 * until this entry expires. See /proc/sys/net/core/xfrm_acq_expires
			 * After expiration, the underlying policy causing the original acquire
			 * will fire again, dropping further packets.
			 */

but this will only work when there's a trap installed (for instance when the connection is in state ROUTED_ONDEMAND, something that isn't true here).

So ..., what would KLIPS do?

 * A TRAP eroute is installed and we want to replace it with a HOLD
 * eroute.

And more interestingly, in ipsec_xmit_init1()

	if (ixs->outgoing_said.proto == IPPROTO_INT) {
		switch (ntohl(ixs->outgoing_said.spi)) {
... kilps/pfkey blindly sent SPI_HOLD thorough to the kernel
		case SPI_HOLD:
			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
				    "klips_debug:ipsec_xmit_encap_bundle: "
				    "shunt SA of HOLD: this does not make sense here, dropping.\n");
			if (ixs->stats)
				ixs->stats->tx_dropped++;
			break;
... i.e., SPI_HOLD is actually SPI_DROP
		case SPI_TRAP:
		case SPI_TRAPSUBNET:
...
				if (pfkey_acquire(&ixs->ips) == 0) {
					/* note that we succeeded */
...
					if (ixs->outgoing_said.spi ==
					    htonl(SPI_TRAPSUBNET)) {
... spi must be SPI_TRAP
					} else if (create_hold_eroute(ixs)) {
... i.e., SPI_TRAP gets turned into SPI_HOLD; sometimes

so it looks like NEGOTIATION=HOLD should be interpreted as NEGOTIATION=BLOCK

[cagney]

The problem is that the permanent connection may not yet know its selectors (for instance it is going to acquire them via a CP payload). Installing a HOLD would block all traffic.

If the intent is to block traffic until things establish then the connection should be routed.