Linux router responds to any ARP query when iproute2 xfrm policies are configured for an IPSec tunnel. What's going on?

From: Jarkko Oranen
Date: Thu Jan 16 2020 - 13:25:46 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 4.14 178/371] usb: gadget: fsl: fix link error against usb-gadget module"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.14 190/371] vfio/mdev: Avoid release parent reference during error path"
Next in thread: Jarkko Oranen: "Re: (Solved) Linux router responds to any ARP query when iproute2 xfrm policies are configured for an IPSec tunnel. What's going on?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

First of all, I'm not currently subscribed to LKML, so please CC any replies.

I recently debugged a DHCP client which refused to accept a lease, and noticed that my router seems to reply to ARP requests for any IP address, apparently causing the client to think it was receiving a duplicate IP.

After some debugging, I learned that my router will respond to any ARP query if the IP falls within the traffic selector I'm using for my xfrm interface-based IPSec VPN. For example:

$ arping 1.1.1.1

ARPING 1.1.1.1 from 10.21.1.10 enp7s0

Unicast reply from 1.1.1.1 [00:0D:B9:4B:07:C1] 1.449ms

I tried changing the various ARP-related sysctls, but they had no effect on this behaviour. It stops immediately if I kill the IPSec tunnel and the xfrm policies are removed.

The xfrm interface is created simply with
ip link add st0 type xfrm dev eth0 if_id 1
and 10/8 is routed to it, though this doesn't seem to matter.

When the IPSec tunnel is up and running, it configures xfrm policies like so:

src 0.0.0.0/0 dst 0.0.0.0/0

dir out priority 399999 ptype main

tmpl src <my-ip> dst <remote-ip>

proto esp spi 0xc5a3f611 reqid 1 mode tunnel

if_id 0x1

src 0.0.0.0/0 dst 0.0.0.0/0

dir fwd priority 399999 ptype main

tmpl src <remote-ip> dst <my-ip>

proto esp reqid 1 mode tunnel

if_id 0x1

src 0.0.0.0/0 dst 0.0.0.0/0

dir in priority 399999 ptype main

tmpl src <remote-ip> dst <my-ip>

proto esp reqid 1 mode tunnel

if_id 0x1

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

socket out priority 0 ptype main

src ::/0 dst ::/0

socket in priority 0 ptype main

src ::/0 dst ::/0

socket out priority 0 ptype main

src ::/0 dst ::/0

socket in priority 0 ptype main

src ::/0 dst ::/0

socket out priority 0 ptype main

The traffic selector affects what ARP requests the router responds to, so if I change it to 10.0.0.0/8, it will respond to any ARP request for IPs in that range.

This is happening on Alpine Linux running kernel version 5.4.12-1-lts.

Is this expected behaviour? I would appreciate some pointers.

--
Jarkko Oranen

Next message: Sasha Levin: "[PATCH AUTOSEL 4.14 178/371] usb: gadget: fsl: fix link error against usb-gadget module"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.14 190/371] vfio/mdev: Avoid release parent reference during error path"
Next in thread: Jarkko Oranen: "Re: (Solved) Linux router responds to any ARP query when iproute2 xfrm policies are configured for an IPSec tunnel. What's going on?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]