From owner-freebsd-net@FreeBSD.ORG Tue Feb 18 18:53:52 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5B67DFC for ; Tue, 18 Feb 2014 18:53:52 +0000 (UTC) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 7F5361714 for ; Tue, 18 Feb 2014 18:53:52 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 96CE41FF0054; Tue, 18 Feb 2014 13:25:26 -0500 (EST) Received: from IAD-WPRD-XCHB01.corp.verio.net ([198.87.7.137]) by iad-wprd-xchw01.corp.verio.net with Microsoft SMTPSVC(6.0.3790.4675); Tue, 18 Feb 2014 13:26:35 -0500 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Content-Class: urn:content-classes:message Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: RE: ipsec foils traceroute on gre/gif Date: Tue, 18 Feb 2014 13:26:34 -0500 Message-ID: In-Reply-To: <201402180613.s1I6DdhS020353@dark.beer.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipsec foils traceroute on gre/gif thread-index: Ac8scgnINip2gpa4Shex/qWtbwEPjAAZFDGg References: <201402180613.s1I6DdhS020353@dark.beer.net> From: "David DeSimone" To: "Michael Glasgow" X-OriginalArrivalTime: 18 Feb 2014 18:26:35.0215 (UTC) FILETIME=[F4688DF0:01CF2CD6] Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 18:53:52 -0000 My understanding of this issue is that replying with an ICMP message for = traceroute carries the risk of violating security policy. When an ICMP Unreachable packet is generated, the first 64 octets in the = packet are copied into the reply. If the packet was originally = encrypted with IPSEC, those octets were never seen unencrypted on the = wire. If the ICMP Unreachable were permitted to be generated and sent, = it could very well reveal the unencrypted IPSEC packet contents on the = wire, because the source/destination IP's of the ICMP message no longer = matches SPD's. Thus the conservative decision in the kernel is to drop the TTL-exceeded = packet coming from IPSEC, with no reply. In other words, "working as intended." -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Michael Glasgow Sent: Tuesday, February 18, 2014 12:14 AM To: freebsd-net@freebsd.org Subject: ipsec foils traceroute on gre/gif I noticed traceroute misses a hop when crossing an encrypted gif or gre tunnel, e.g.: $ sudo traceroute -I 172.29.0.5 traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets 1 169.254.249.21 (169.254.249.21) 0.524 ms 0.728 ms 0.726 ms 2 169.254.249.25 (169.254.249.25) 1.143 ms 1.160 ms 1.156 ms 3 * * * 4 172.29.0.5 (172.29.0.5) 241.931 ms 247.545 ms 252.398 ms Firewalls are all completely disabled in the above example. It appears the TTL-exceeded ICMP isn't properly generated. Poking through the archives, I found this old thread with a lot of info: http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html But alas, the final word on whether the recommended fix had any untoward security ramifications was not forthcoming. Anyone have an interest in resurrecting this? --=20 Michael Glasgow _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio Inc. makes no warranty that this email is error or = virus free. Thank you.