summaryrefslogtreecommitdiffstats
path: root/sys/netipsec
Commit message (Collapse)AuthorAgeFilesLines
* Merge remote-tracking branch 'origin/stable/10' into develRenato Botelho2016-06-141-1/+1
|\
| * MFC r299387:ngie2016-06-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | r299387 (by cem): netipsec: Fix minor style nit Coverity points out that 'continue' is equivalent to 'break' in a do {} while(false) loop. CID: 1354983
| * MFC r298676:ngie2016-05-131-0/+1
| | | | | | | | | | | | | | | | r298676 (by cem): netipsec: Don't leak memory when deep copy fails CID: 1331693
* | MFC r298676:Luiz Otavio O Souza2016-05-111-0/+1
| | | | | | | | | | | | | | | | | | | | netipsec: Don't leak memory when deep copy fails Reported by: Coverity CID: 1331693 Sponsored by: EMC / Isilon Storage Division TAG: IPSEC-HEAD
* | MFC r298535, r298536 and r298549:Luiz Otavio O Souza2016-05-114-18/+233
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handle non-compressed packets for IPComp in tunnel mode. RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062 r298536: Use ipsec_address() function to print IP addresses. r298549: Fix build for NOINET and NOINET6 kernels. Use own protosw structures for both address families. Check proto in encapcheck function and use -1 as proto argument in encap_attach_func(), both address families can have IPPROTO_IPV4 and IPPROTO_IPV6 protocols. Reported by: bz TAG: IPSEC-HEAD
* | MFC r298399:Luiz Otavio O Souza2016-05-111-2/+0
| | | | | | | | | | | | Remove stale function declaration TAG: IPSEC-HEAD
* | MFC r298398:Luiz Otavio O Souza2016-05-115-45/+51
| | | | | | | | | | | | Constify mbuf pointer for IPSEC functions where mbuf isn't modified. TAG: IPSEC-HEAD
* | MFC r297014:Luiz Otavio O Souza2016-05-111-1/+1
| | | | | | | | | | | | | | | | Fix handling of net.inet.ipsec.dfbit=2 variable. IP_DF macro is in host bytes order, but ip_off field is in network bytes order. So, use htons() for correct check. TAG: IPSEC-HEAD
* | MFC r296806:Luiz Otavio O Souza2016-05-111-1/+2
| | | | | | | | | | | | | | | | Put IPSec's anouncement of its successful intialisation under bootverbose: now that it's a default kernel option, we don't really need to tell the world about it on every boot, especially as it won't be used by most users. TAG: IPSEC-HEAD
* | MFC r296303:Luiz Otavio O Souza2016-05-111-0/+1
| | | | | | | | | | | | | | | | | | | | Set tres to NULL to avoid a double free if the m_pullup() below fails. Reviewed by: glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5497 TAG: IPSEC-HEAD
* | MFC r290982:Luiz Otavio O Souza2016-05-112-7/+31
| | | | | | | | | | | | | | | | | | | | | | Implement the sadb_x_policy_priority field as it is done in Linux: lower priority policies are inserted first. Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield TAG: IPSEC-HEAD
* | MFC r290924:Luiz Otavio O Souza2016-05-112-8/+2
| | | | | | | | | | | | | | | | | | | | | | Use explicitly specified ivsize instead of blocksize when we mean IV size. Set zero ivsize for enc_xform_null and remove special handling from xform_esp.c. Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D1503 TAG: IPSEC-HEAD
* | MFC r288418:Luiz Otavio O Souza2016-05-114-14/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Take extra reference to security policy before calling crypto_dispatch(). Currently we perform crypto requests for IPSEC synchronous for most of crypto providers (software, aesni) and only VIA padlock calls crypto callback asynchronous. In synchronous mode it is possible, that security policy will be removed during the processing crypto request. And crypto callback will release the last reference to SP. Then upon return into ipsec[46]_process_packet() IPSECREQUEST_UNLOCK() will be called to already freed request. To prevent this we will take extra reference to SP. PR: 201876 Sponsored by: Yandex LLC TAG: IPSEC-HEAD
* | Revert "Handle non-compressed packets for IPComp in tunnel mode."Renato Botelho2016-04-263-201/+1
| | | | | | | | This reverts commit daa0dd3c20e315dab7cecd5ac7ebd5252c6d6898.
* | Handle non-compressed packets for IPComp in tunnel mode.ae2016-04-253-1/+201
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062 (cherry picked from commit dcf50398ab66cfcba0ae4484efe3b5ce40fb9824)
* | Merge remote-tracking branch 'origin/stable/10' into develRenato Botelho2016-03-091-2/+1
|\ \ | |/
| * MFC r295967:ae2016-03-091-2/+1
| | | | | | | | Fix useless check. m_pkthdr.len should be equal to orglen.
* | Merge remote-tracking branch 'origin/stable/10' into develRenato Botelho2015-11-271-0/+6
|\ \ | |/
| * MFC 290028:gnn2015-11-261-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | Turning on IPSEC used to introduce a slight amount of performance degradation (7%) for host host TCP connections over 10Gbps links, even when there were no secuirty policies in place. There is no change in performance on 1Gbps network links. Testing GENERIC vs. GENERIC-NOIPSEC vs. GENERIC with this change shows that the new code removes any overhead introduced by having IPSEC always in the kernel. Differential Revision: D3993 Sponsored by: Rubicon Communications (Netgate)
* | Revert "Optimize the case where we have IPSEC enabled but do not have ↵Renato Botelho2015-11-271-6/+0
| | | | | | | | | | | | security policies." This reverts commit 5aba7ffcfb97d9b6f4ce464de77b02ad4d7b8ad3.
* | Optimize the case where we have IPSEC enabled but do not have security policies.Luiz Otavio O Souza2015-10-261-0/+6
| | | | | | | | | | TAG: tryforward Differential Revision: https://reviews.freebsd.org/D3993
* | MFC r286292:Luiz Otavio O Souza2015-10-204-89/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec defines the keys differently than NIST does, so we have to muck with key lengths and nonce/IVs to be standard compliant... Remove the iv from secasvar as it was unused... Add a counter protected by a mutex to ensure that the counter for GCM and ICM will never be repeated.. This is a requirement for security.. I would use atomics, but we don't have a 64bit one on all platforms.. Fix a bug where IPsec was depending upon the OCF to ensure that the blocksize was always at least 4 bytes to maintain alignment... Move this logic into IPsec so changes to OCF won't break IPsec... In one place, espx was always non-NULL, so don't test that it's non-NULL before doing work.. minor style cleanups... drop setting key and klen as they were not used... Enforce that OCF won't pass invalid key lengths to AES that would panic the machine... This was has been tested by others too... I tested this against NetBSD 6.1.5 using mini-test suite in https://github.com/jmgurney/ipseccfgs and the only things that don't pass are keyed md5 and sha1, and 3des-deriv (setkey syntax error), all other modes listed in setkey's man page... The nice thing is that NetBSD uses setkey, so same config files were used on both... Reviewed by: gnn TAG: IPSEC-HEAD Issue: #4841
* | MFC r286101:Luiz Otavio O Souza2015-10-202-2/+2
| | | | | | | | | | | | | | | | | | | | | | these are comparing authenticators and need to be constant time... This could be a side channel attack... Now that we have a function for this, use it... jmgurney/ipsecgcm: 24d704cc and 7f37a14 TAG: IPSEC-HEAD Issue: #4841
* | MFC r286100:Luiz Otavio O Souza2015-10-201-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Clean up this header file... use CTASSERTs now that we have them... Replace a draft w/ RFC that's over 10 years old. Note that _AALG and _EALG do not need to match what the IKE daemons think they should be.. This is part of the KABI... I decided to renumber AESCTR, but since we've never had working AESCTR mode, I'm not really breaking anything.. and it shortens a loop by quite a bit.. remove SKIPJACK IPsec support... SKIPJACK never made it out of draft (in 1999), only has 80bit key, NIST recommended it stop being used after 2010, and setkey nor any of the IKE daemons I checked supported it... jmgurney/ipsecgcm: a357a33, c75808b, e008669, b27b6d6 Reviewed by: gnn (earlier version) TAG: IPSEC-HEAD Issue: #4841
* | MFC r286095:Luiz Otavio O Souza2015-10-201-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Correct IPSec SA statistic keeping The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs. When there are multiple transformations being done the statistic keeping might be wrong. This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken. Differential Revision: https://reviews.freebsd.org/D3239 Reviewed by: ae, gnn Approved by: gnn(mentor) TAG: IPSEC-HEAD Issue: #4841
* | MFC r286000:Luiz Otavio O Souza2015-10-203-26/+38
| | | | | | | | | | | | | | | | | | | | | | | | RFC4868 section 2.3 requires that the output be half... This fixes problems that was introduced in r285336... I have verified that HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD 6.1.5 vm... Reviewed by: gnn TAG: IPSEC-HEAD Issue: #4841
* | MFC r285770:Luiz Otavio O Souza2015-10-202-23/+8
| | | | | | | | | | | | | | | | | | | | | | IPSEC, remove variable argument function its already due. Differential Revision: https://reviews.freebsd.org/D3080 Reviewed by: gnn, ae Approved by: gnn(mentor) TAG: IPSEC-HEAD Issue: #4841
* | MFC r285347:Luiz Otavio O Souza2015-10-201-3/+3
| | | | | | | | | | | | | | | | Summary: Fix LINT build. The names of the new AES modes were not correctly used under the REGRESSION kernel option. TAG: IPSEC-HEAD Issue: #4841
* | MFC r285336:Luiz Otavio O Souza2015-10-202-73/+99
| | | | | | | | | | | | | | | | | | | | | | | | Add support for AES modes to IPSec. These modes work both in software only mode and with hardware support on systems that have AESNI instructions. Differential Revision: D2936 Reviewed by: jmg, eri, cognet Sponsored by: Rubicon Communications (Netgate) TAG: IPSEC-HEAD Issue: #4841
* | Fix the IPSEC build.Luiz Otavio O Souza2015-10-201-1/+1
| | | | | | | | | | TAG: IPSEC-HEAD Issue: #4841
* | MFC r285096:Luiz Otavio O Souza2015-10-201-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reduce overhead of IPSEC for traffic generated from host When IPSEC is enabled on the kernel the forwarding path has an optimization to not enter the code paths for checking security policies but first checks if there is any security policy active at all. The patch introduces the same optimization but for traffic generated from the host itself. This reduces the overhead by 50% on my tests for generated host traffic without and SP active. Differential Revision: https://reviews.freebsd.org/D2980 Reviewed by: ae, gnn Approved by: gnn(mentor) TAG: IPSEC-HEAD Issue: #4841
* | MFC r284259:Luiz Otavio O Souza2015-10-202-9/+0
| | | | | | | | | | | | | | | | | | drop key_sa_stir_iv as it isn't used... Reviewed by: eri, ae TAG: IPSEC-HEAD Issue: #4841
* | MFC r282982:Luiz Otavio O Souza2015-10-201-4/+2
| | | | | | | | | | | | | | | | Summary: Remove spurious, extra, next header comments. Correct the name of the pad length field. TAG: IPSEC-HEAD Issue: #4841
* | MFC r282139:Luiz Otavio O Souza2015-10-201-2/+1
| | | | | | | | | | | | | | | | | | | | Fix the comment. We will not do SPD lookup again, because ip[6]_ipsec_output() will find PACKET_TAG_IPSEC_OUT_DONE mbuf tag. Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r282132:Luiz Otavio O Souza2015-10-202-0/+3
| | | | | | | | | | | | | | | | | | | | Since PFIL can change mbuf pointer, we should update pointers after calling ipsec_filter(). Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r282048:Luiz Otavio O Souza2015-10-202-2/+2
| | | | | | | | | | | | | | | | | | Make ipsec_in_reject() static. We use ipsec[46]_in_reject() instead. Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r282046:Luiz Otavio O Souza2015-10-204-8/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix possible use after free due to security policy deletion. When we are passing mbuf to IPSec processing via ipsec[46]_process_packet(), we hold one reference to security policy and release it just after return from this function. But IPSec processing can be deffered and when we release reference to security policy after ipsec[46]_process_packet(), user can delete this security policy from SPDB. And when IPSec processing will be done, xform's callback function will do access to already freed memory. To fix this move KEY_FREESP() into callback function. Now IPSec code will release reference to SP after processing will be finished. Differential Revision: https://reviews.freebsd.org/D2324 No objections from: #network Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r281695:Luiz Otavio O Souza2015-10-207-132/+105
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change ipsec_address() and ipsec_logsastr() functions to take two additional arguments - buffer and size of this buffer. ipsec_address() is used to convert sockaddr structure to presentation format. The IPv6 part of this function returns pointer to the on-stack buffer and at the moment when it will be used by caller, it becames invalid. IPv4 version uses 4 static buffers and returns pointer to new buffer each time when it called. But anyway it is still possible to get corrupted data when several threads will use this function. ipsec_logsastr() is used to format string about SA entry. It also uses static buffer and has the same problem with concurrent threads. To fix these problems add the buffer pointer and size of this buffer to arguments. Now each caller will pass buffer and its size to these functions. Also convert all places where these functions are used (except disabled code). And now ipsec_address() uses inet_ntop() function from libkern. PR: 185996 Differential Revision: https://reviews.freebsd.org/D2321 Reviewed by: gnn Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r281694:Luiz Otavio O Souza2015-10-201-1/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6. ipsec6_common_input_cb() uses partial copy of ip6_input() to parse headers. But this isn't correct, when we use tunnel mode IPSec. When we stripped outer IPv6 header from the decrypted packet, it can become IPv4 packet and should be handled by ip_input. Also when we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted packet with inner IPv6 header to ip6_input, it will correctly handle it and also can decide to forward it. The "skip" variable points to offset where payload starts. In tunnel mode we reset it to zero after stripping the outer header. So, when it is zero, we should requeue mbuf via netisr. Differential Revision: https://reviews.freebsd.org/D2306 Reviewed by: adrian, gnn Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r281693:Luiz Otavio O Souza2015-10-203-36/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix handling of scoped IPv6 addresses in IPSec code. * in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope; * teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in kernel-internal form, we need to embed scope zone id from SA into the address before calling in6_localip. * in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA, because we keep addresses in the SADB without embedded scope zone id. Differential Revision: https://reviews.freebsd.org/D2304 Reviewed by: gnn Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r281692:Luiz Otavio O Souza2015-10-203-405/+129
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove xform_ipip.c and code related to XF_IP4. The only thing is used from this code is ipip_output() function, that does IPIP encapsulation. Other parts of XF_IP4 code were removed in r275133. Also it isn't possible to configure the use of XF_IP4, nor from userland via setkey(8), nor from the kernel. Simplify the ipip_output() function and rename it to ipsec_encap(). * move IP_DF handling from ipsec4_process_packet() into ipsec_encap(); * since ipsec_encap() called from ipsec[64]_process_packet(), it is safe to assume that mbuf is contiguous at least to IP header for used IP version. Remove all unneeded m_pullup(), m_copydata and related checks. * use V_ip_defttl and V_ip6_defhlim for outer headers; * use V_ip4_ipsec_ecn and V_ip6_ipsec_ecn for outer headers; * move all diagnostic messages to the ipsec_encap() callers; * simplify handling of ipsec_encap() results: if it returns non zero value, print diagnostic message and free mbuf. * some style(9) fixes. Differential Revision: https://reviews.freebsd.org/D2303 Reviewed by: glebius Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r279234:Luiz Otavio O Souza2015-10-202-1/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix possible memory leak and several races in the IPsec policy management code. Resurrect the state field in the struct secpolicy, it has IPSEC_SPSTATE_ALIVE value when security policy linked in the chain, and IPSEC_SPSTATE_DEAD value in all other cases. This field protects from trying to unlink one security policy several times from the different threads. Take additional reference in the key_flush_spd() to be sure that policy won't be freed from the different thread while we are sending SPDEXPIRE message. Add KEY_FREESP() call to the key_unlink() to release additional reference that we take when use key_getsp*() functions. Differential Revision: https://reviews.freebsd.org/D1914 Tested by: Emeric POUPON <emeric.poupon at stormshield dot eu> Reviewed by: hrs Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r277797:Luiz Otavio O Souza2015-10-201-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | key_spdget uses key_setdumpsp() without SPTREE_RLOCK held (it uses referenced pointer to sp). Remove SPTREE_RLOCK_ASSERT from key_setdumpsp() to fix wrong assertion. Reported by: Emeric POUPON Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r276199:Luiz Otavio O Souza2015-10-201-1/+1
| | | | | | | | | | | | | | Fix VIMAGE build. TAG: IPSEC-HEAD Issue: #4841
* | MFC r276188:Luiz Otavio O Souza2015-10-204-209/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rename ip4_def_policy variable to def_policy. It is used by both IPv4 and IPv6. Initialize it only once in def_policy_init(). Remove its initialization from key_init() and make it static. Remove several fields from struct secpolicy: * lock - it isn't so useful having mutex in the structure, but the only thing we do with it is initialization and destroying. * state - it has only two values - DEAD and ALIVE. Instead of take a lock and change the state to DEAD, then take lock again in GC function and delete policy from the chain - keep in the chain only ALIVE policies. * scangen - it was used in GC function to protect from sending several SADB_SPDEXPIRE messages for one SPD entry. Now we don't keep DEAD entries in the chain and there is no need to have scangen variable. Use TAILQ to implement SPD entries chain. Use rmlock to protect access to SPD entries chain. Protect all SP lookup with RLOCK, and use WLOCK when we are inserting (or removing) SP entry in the chain. Instead of using pattern "LOCK(); refcnt++; UNLOCK();", use refcount(9) API to implement refcounting in SPD. Merge code from key_delsp() and _key_delsp() into _key_freesp(). And use KEY_FREESP() macro in all cases when we want to release reference or just delete SP entry. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275712:Luiz Otavio O Souza2015-10-201-2/+4
| | | | | | | | | | | | | | | | | | | | Treat errors when retrieving security policy as policy violation. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275711:Luiz Otavio O Souza2015-10-201-0/+1
| | | | | | | | | | | | | | | | | | | | Initialize error variable. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275710:Luiz Otavio O Souza2015-10-202-23/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove flag/flags argument from the following functions: ipsec_getpolicybyaddr() ipsec4_checkpolicy() ip_ipsec_output() ip6_ipsec_output() The only flag used here was IP_FORWARDING. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275708:Luiz Otavio O Souza2015-10-202-94/+54
| | | | | | | | | | | | | | | | | | | | | | | | Remove flags and tunalready arguments from ipsec4_process_packet() and make its prototype similar to ipsec6_process_packet. The flags argument isn't used here, tunalready is always zero. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
* | MFC r275707:Luiz Otavio O Souza2015-10-206-31/+16
| | | | | | | | | | | | | | | | | | | | Remove now unused mtag argument from ipsec*_common_input_cb. Obtained from: Yandex LLC Sponsored by: Yandex LLC TAG: IPSEC-HEAD Issue: #4841
OpenPOWER on IntegriCloud