From owner-freebsd-net@FreeBSD.ORG Tue Mar 22 05:38:26 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8380C106566C for ; Tue, 22 Mar 2011 05:38:26 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 2EB188FC14 for ; Tue, 22 Mar 2011 05:38:25 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 607AA1FF00ED for ; Tue, 22 Mar 2011 01:11:34 -0400 (EDT) Thread-Index: AcvoT5ufwaBwAotiQw6RugeYzzPmxA== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 22 Mar 2011 01:11:30 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Tue, 22 Mar 2011 00:11:29 -0500 Content-Transfer-Encoding: 7bit Date: Tue, 22 Mar 2011 00:11:29 -0500 From: "David DeSimone" Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721 Importance: normal Priority: normal To: Message-ID: <20110322051128.GM9636@verio.net> Mail-Followup-To: freebsd-net@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-reply-to: Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 22 Mar 2011 05:11:31.0056 (UTC) FILETIME=[9AFD8F00:01CBE84F] Subject: Re: tcp/ip stack sending icmp "ttl exceeded in traffic" back through gre \w ipsec-esp encryption tunnels. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2011 05:38:26 -0000 Andrei Manescu - Ivorde wrote: > > Problem: RouterA and RouterB in the following > diagram are FreeBSD 6.4-STABLE and 7.4-STABLE running a gre tunnel and > ipsec transport mode encryption on top of it. > > None of them send an icmp > error "TTL Exceeded in traffic" when the TTL of the packet reaches 0 after > they decrement it. Code: > > hostA----RouterA--GRE-inside-IPSEC/ESP/transport---RouterB---hostB > > Packets > sent from hostA to hostB with a TTL2 that should have an ICMP "TTL > exceeded in traffic" returned by RouterB have no effect. Isn't this by design? An ICMP reply might be sent to an unrelated router hop, meaning there is no security association for it. Since that ICMP reply will contain the the header of the expired packet, sending that reply will take a packet that was encrypted, and send part of it back, unencrypted. This could potentially provide an attacker with some known plaintext with which to attack your VPN's encryption keys. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.