Folks, I'm proposing the following patch for ip6_input.c:
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index c7ed2b6..5aba6a6 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c @@ -409,12 +409,10 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr, } } else { if (!raw) { - if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { - __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INUNKNOWNPROTOS); - icmpv6_send(skb, ICMPV6_PARAMPROB, - ICMPV6_UNK_NEXTHDR, nhoff); - } + __IP6_INC_STATS(net, idev, + IPSTATS_MIB_INUNKNOWNPROTOS); + icmpv6_send(skb, ICMPV6_PARAMPROB, + ICMPV6_UNK_NEXTHDR, nhoff); kfree_skb(skb); } else { __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS); The patch fixes an IPv6 conformance test failure (v6LC_1_2_03a in the UNH INTACT suite) that occurs specifically when IPsec is in use. The test iterates through the set of unassigned protocol numbers (currently, 143 through 252) and inserts these into the next header field of a Destination Options header. The expected test result is that an ICMPv6 Parameter Problem is sent back. But if there's a policy in place that requires an active SA between the Test Node and the Device Under Test (and none exists), the inbound packet is quietly dropped. This behavior is inconsistent with, for example, how unknown tlv's are handled in extension headers (see the tlv parsing code in ipv6/exthdrs.c) or for instance how misaligned fragment headers are handled. These will always cause a Parameter Problem message to get sent back to the source. I have verified that with the policy check removed, that the unit test passes. FYI here's a trace of the test in question: No. Time Source Destination Protocol Length Info 1 0.000000000 fe80::200:10ff:fe10:1080 fe80::260:16ff:fe97:ebf2 IPv6 71 *Unknown IP Protocol: Unassigned (143)* Frame 1: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface 0 Interface id: 0 (unknown) Interface name: unknown Encapsulation type: Ethernet (1) Arrival Time: Feb 6, 2019 13:27:29.949609000 EST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1549477649.949609000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 71 bytes (568 bits) Capture Length: 71 bytes (568 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ipv6:ipv6.dstopts:data] Ethernet II, Src: Sytek_10:10:80 (00:00:10:10:10:80), Dst: Clariion_97:eb:f2 (00:60:16:97:eb:f2) Destination: Clariion_97:eb:f2 (00:60:16:97:eb:f2) Address: Clariion_97:eb:f2 (00:60:16:97:eb:f2) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Sytek_10:10:80 (00:00:10:10:10:80) Address: Sytek_10:10:80 (00:00:10:10:10:80) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv6 (0x86dd) Internet Protocol Version 6, Src: fe80::200:10ff:fe10:1080, Dst: fe80::260:16ff:fe97:ebf2 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0) .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0) .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000 Payload Length: 17 Next Header: Destination Options for IPv6 (60) Hop Limit: 255 Source: fe80::200:10ff:fe10:1080 Destination: fe80::260:16ff:fe97:ebf2 [Source SA MAC: Sytek_10:10:80 (00:00:10:10:10:80)] [Destination SA MAC: Clariion_97:eb:f2 (00:60:16:97:eb:f2)] Destination Options for IPv6 *Next Header: Unassigned (143**)* Length: 0 [Length: 8 bytes] PadN Type: PadN (0x01) 00.. .... = Action: Skip and continue (0) ..0. .... = May Change: No ...0 0001 = Low-Order Bits: 0x01 Length: 4 PadN: 00000000 Data (9 bytes) 0000 80 00 5c eb 00 00 00 00 00 ..\...... Data: 80005ceb0000000000 [Length: 9] I am working on a product that will ship with IPsec enabled and with a set of traffic selectors in place that will exclude most inbound traffic. Since this is how it will ship to the customer, we must leave IPsec enabled when this goes to UNH for USGv6 certification. Thanks for your consideration. -- Farrell