Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP

Next message: Ulf Hansson: "Re: [PATCH] pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc-&gt;domains"
Previous message: Bartosz Golaszewski: "Re: [PATCH 0/3] Revert &quot;revocable: Revocable resource management&quot;"
In reply to: Antony Antony: "[PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sabrina Dubroca

Date: Fri Jan 30 2026 - 06:28:45 EST

2026-01-27, 11:42:40 +0100, Antony Antony wrote:
> The current code prevents migrating an SA from UDP encapsulation to
> plain ESP. This is needed when moving from a NATed path to a non-NATed
> one, for example when switching from IPv4+NAT to IPv6.
>
> Only copy the existing encapsulation during migration if the encap
> attribute is explicitly provided.

Are we sure nobody out there relies on this behavior (silently copying
the existing UDP encap without having to explicitly request it in the
MIGRATE request)? If there are, this patch would break their setup by
clearing the encap that they expect to still be present.

--
Sabrina