Re: [devel-ipsec] Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP

[Antony Antony]

On Mon, Feb 02, 2026 at 10:15:24AM -0800, Nathan Harold via Devel wrote:
> Unfortunately, I believe Android relies on this behavior (at least for
> now). We never re-send the encap parameters.
> 
> https://cs.android.com/android/platform/superproject/main/+/main:system/netd/server/XfrmController.cpp;l=1183;drc=61197364367c9e404c7da6900658f1b16c42d0da

Thanks Nathan. It is good to know.

The next question is how do you feel about changing the behavior in
Android? Would you be willing re-send ports every time the SA has it?

This will allow more flexible migration. Migrating from NAT to no NAT an
IPv6 without NAT would be possible.

If that is a bad idea, I would limit this change to the new method only.

regards,
-antony

> 
> -Nathan
> 
> 
> On Mon, Feb 2, 2026 at 4:58 AM Antony Antony via Devel <
> devel@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> > On Fri, Jan 30, 2026 at 12:28:19 +0100, Sabrina Dubroca wrote:
> > > 2026-01-27, 11:42:40 +0100, Antony Antony wrote:
> > > > The current code prevents migrating an SA from UDP encapsulation to
> > > > plain ESP. This is needed when moving from a NATed path to a non-NATed
> > > > one, for example when switching from IPv4+NAT to IPv6.
> > > >
> > > > Only copy the existing encapsulation during migration if the encap
> > > > attribute is explicitly provided.
> > >
> > > Are we sure nobody out there relies on this behavior (silently copying
> > > the existing UDP encap without having to explicitly request it in the
> > > MIGRATE request)? If there are, this patch would break their setup by
> > > clearing the encap that they expect to still be present.
> >
> > Libreswan and Android are the main users of migrate method. Libreswan sets
> > the
> > value in every call. I am guessing Android does that too.
> >
> > Yan, would this patch cause regression in Android?
> >
> > Without this fix migrating from v4 nat to v6 and no v4 nat won't  work.
> >
> > Also the ENCAP migrate with UDP port was broken before, 2017,
> > the commit 4ab47d47af20 ("xfrm: extend MIGRATE with UDP encapsulation
> > port") ?
> > So likely it was never used by older code and PF_KEY.
> >
> > For the new methed strongSwan wants to support migrating from UDP encap
> > to no UDP encap.
> >
> > regards
> > -antony
> >
> > PS : Steffen advised not to Fixes tag.
> > --
> > Devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxx
> >

> -- 
> Devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxx