Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP

Next message: Pradeep P V K: "[PATCH V1] nvme-pci: Fix NULL pointer dereference in nvme_pci_prp_iter_next"
Previous message: Vladimir Oltean: "Re: [net-next,v11,4/4] net: dsa: add basic initial driver for MxL862xx switches"
Next in thread: Antony Antony: "Re: [devel-ipsec] Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Antony Antony

Date: Mon Feb 02 2026 - 07:58:42 EST

On Fri, Jan 30, 2026 at 12:28:19 +0100, Sabrina Dubroca wrote:
> 2026-01-27, 11:42:40 +0100, Antony Antony wrote:
> > The current code prevents migrating an SA from UDP encapsulation to
> > plain ESP. This is needed when moving from a NATed path to a non-NATed
> > one, for example when switching from IPv4+NAT to IPv6.
> >
> > Only copy the existing encapsulation during migration if the encap
> > attribute is explicitly provided.
>
> Are we sure nobody out there relies on this behavior (silently copying
> the existing UDP encap without having to explicitly request it in the
> MIGRATE request)? If there are, this patch would break their setup by
> clearing the encap that they expect to still be present.

Libreswan and Android are the main users of migrate method. Libreswan sets the
value in every call. I am guessing Android does that too.

Yan, would this patch cause regression in Android?

Without this fix migrating from v4 nat to v6 and no v4 nat won't work.

Also the ENCAP migrate with UDP port was broken before, 2017,
the commit 4ab47d47af20 ("xfrm: extend MIGRATE with UDP encapsulation port") ?
So likely it was never used by older code and PF_KEY.

For the new methed strongSwan wants to support migrating from UDP encap
to no UDP encap.

regards
-antony

PS : Steffen advised not to Fixes tag.