From owner-freebsd-bugs@FreeBSD.ORG  Wed Oct  1 19:40:03 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EBEFB106569C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Oct 2008 19:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id C8B848FC3A
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  1 Oct 2008 19:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m91Je3VS002148
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 1 Oct 2008 19:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m91Je3T9002147;
	Wed, 1 Oct 2008 19:40:03 GMT (envelope-from gnats)
Resent-Date: Wed, 1 Oct 2008 19:40:03 GMT
Resent-Message-Id: <200810011940.m91Je3T9002147@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Cyrus Rahman <crahman@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 84D3D1065687
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  1 Oct 2008 19:36:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 71CD68FC29
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  1 Oct 2008 19:36:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m91Ja2Pt047116
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 1 Oct 2008 19:36:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m91Ja2KR047114;
	Wed, 1 Oct 2008 19:36:02 GMT (envelope-from nobody)
Message-Id: <200810011936.m91Ja2KR047114@www.freebsd.org>
Date: Wed, 1 Oct 2008 19:36:02 GMT
From: Cyrus Rahman <crahman@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/127785: IPSEC with IPv6 fails to pass traffic through enc0
	interface
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2008 19:40:04 -0000


>Number:         127785
>Category:       kern
>Synopsis:       IPSEC with IPv6 fails to pass traffic through enc0 interface
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 01 19:40:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Cyrus Rahman
>Release:        FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD silva.signetica.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Thu Sep 25 23:49:02 MDT 2008     cr@silva.signetica.com:/usr/src/sys/amd64/compile/SIGNETICA  amd64

>Description:
The enc0 interface is supposed to inherit all IPSEC traffic, allowing packet filters to perform their work with knowledge of the packet's contents.

This works as expected in IPv4.

In IPv6, no IPSEC traffic is passed to enc0.  As a result, firewall rules are bypassed silently.
>How-To-Repeat:
Set up an IPv6 security association between two hosts and observe that all formerly firewall-blocked traffic can now pass freely.
>Fix:
The new IPSEC simply doesn't contain code to do this for IPv6.

Until such code is written it would be prudent to include a warning in the enc(4) manual page mentioning that IPv6 IPSEC traffic will not be visible to the enc interface, and that therefore firewall rules will not be applied to such traffic.


>Release-Note:
>Audit-Trail:
>Unformatted: