Re: [devel-ipsec] Re: [PATCH ipsec-next v5 3/8] xfrm: allow migration from UDP encapsulated to non-encapsulated ESP

[Yan Yan]

Hi Antony,

Sorry for the late reply. We’ve prototyped this and confirmed that
Android can be changed to explicitly provide the encap_tmpl in the
MIGRATE requests. Also we are excited to have kernel support for
encap-to-non-encap migration.

Thanks,
Yan and Nathan

On Mon, Feb 2, 2026 at 11:38 AM Antony Antony <antony@xxxxxxxxxxx> wrote:
>
> On Mon, Feb 02, 2026 at 10:15:24AM -0800, Nathan Harold via Devel wrote:
> > Unfortunately, I believe Android relies on this behavior (at least for
> > now). We never re-send the encap parameters.
> >
> > https://cs.android.com/android/platform/superproject/main/+/main:system/netd/server/XfrmController.cpp;l=1183;drc=61197364367c9e404c7da6900658f1b16c42d0da
>
> Thanks Nathan. It is good to know.
>
> The next question is how do you feel about changing the behavior in
> Android? Would you be willing re-send ports every time the SA has it?
>
> This will allow more flexible migration. Migrating from NAT to no NAT an
> IPv6 without NAT would be possible.
>
> If that is a bad idea, I would limit this change to the new method only.
>
> regards,
> -antony
>
> >
> > -Nathan
> >
> >
> > On Mon, Feb 2, 2026 at 4:58 AM Antony Antony via Devel <
> > devel@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > > On Fri, Jan 30, 2026 at 12:28:19 +0100, Sabrina Dubroca wrote:
> > > > 2026-01-27, 11:42:40 +0100, Antony Antony wrote:
> > > > > The current code prevents migrating an SA from UDP encapsulation to
> > > > > plain ESP. This is needed when moving from a NATed path to a non-NATed
> > > > > one, for example when switching from IPv4+NAT to IPv6.
> > > > >
> > > > > Only copy the existing encapsulation during migration if the encap
> > > > > attribute is explicitly provided.
> > > >
> > > > Are we sure nobody out there relies on this behavior (silently copying
> > > > the existing UDP encap without having to explicitly request it in the
> > > > MIGRATE request)? If there are, this patch would break their setup by
> > > > clearing the encap that they expect to still be present.
> > >
> > > Libreswan and Android are the main users of migrate method. Libreswan sets
> > > the
> > > value in every call. I am guessing Android does that too.
> > >
> > > Yan, would this patch cause regression in Android?
> > >
> > > Without this fix migrating from v4 nat to v6 and no v4 nat won't  work.
> > >
> > > Also the ENCAP migrate with UDP port was broken before, 2017,
> > > the commit 4ab47d47af20 ("xfrm: extend MIGRATE with UDP encapsulation
> > > port") ?
> > > So likely it was never used by older code and PF_KEY.
> > >
> > > For the new methed strongSwan wants to support migrating from UDP encap
> > > to no UDP encap.
> > >
> > > regards
> > > -antony
> > >
> > > PS : Steffen advised not to Fixes tag.
> > > --
> > > Devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxx
> > >
>
> > --
> > Devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxx
>


-- 
--
Best,
Yan