This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1876982 Title: tunnels over IPv6 are unencrypted when using IPsec Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: In Progress Bug description: [Impact] When tunnels are configured over IPv6 using a xfrm policy, it's ignored. That means data will be unencrypted when it shouldn't. [Test case] Launch a VM with the given kernel and monitor its network link on the host with: tcpdump -n -i virbr0 ip6 and port 4789 In the guest, set up a tunnel using an IPv6 address: ip link add type vxlan id 5 remote fd00:cafe::2 dstport 4789 When setting the link up, observe packets being output on the host side: ip link set vxlan0 up Set the link down, and add a xfrm policy to block output to that given IPv6 address: ip link set vxlan0 down ip xfrm policy add dst fd00:cafe::2 dir out action block Check that using ping won't work with Operation not permitted: ping6 fd00:cafe::2 connect: Operation not permitted Set the vxlan link up and watch that no packets appear on tcpdump: ip link set vxlan0 up [Regression potential] Tunnels like VXLAN, GENEVE, etc, will stop to send. The test has shown that it still sends at least when no xfrm policy is configured. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1876982/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
