From owner-freebsd-security Mon Apr 16 12:16: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2D72237B43C for ; Mon, 16 Apr 2001 12:16:02 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA31026; Mon, 16 Apr 2001 12:15:35 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31024; Mon Apr 16 12:15:23 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3GJFIa06170; Mon, 16 Apr 2001 12:15:18 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdRn6161; Mon Apr 16 12:14:23 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3GJEMh06453; Mon, 16 Apr 2001 12:14:22 -0700 (PDT) Message-Id: <200104161914.f3GJEMh06453@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdav6448; Mon Apr 16 12:14:05 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Brian Candler Cc: Lowell Gilbert , Rasputin , freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd In-reply-to: Your message of "Mon, 16 Apr 2001 11:23:58 BST." <20010416112358.A13561@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Apr 2001 12:14:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010416112358.A13561@linnet.org>, Brian Candler writes: > > Some forms of IPSEC have fundamental problems with packet rewriting, > > which means that NAT is extremely hard to use in an IPSEC environment. > > Notably, end-to-end IPSEC modes are broken, although router-based > > tunnels can be a problem depending on whether the NAT rewriting occurs > > before or after the IPSEC headers are applied. > > > > Even without NAT, though, firewalls are a little tricky to configure > > for IPSEC packets. This is because the firewall can't see the > > protocol ports (or even the protocol, for that matter) in the packet, > > Ah, it seems I wasn't clear :-) It's actually a very simple scenario, and I > do not need IPSEC packets to be routed through the firewall at all. There > are cleartext sessions which need NAT to be able to browse the outside > Internet, and then cleartext packets which are IPSEC-tunnelled from one > private network to another, like this: > > Internet Internet > ^ . . . . . . . . . . ^ > | , IPSEC tunnel ` | > +----------+ +----------+ > | Firewall | | Firewall | > +----------+ +----------+ > | | > ---+--- ---+--- > Office1 Office2 > 10.0.1.0/24 10.0.2.0/24 > > Now, I have done a bit of experimentation and found the following. > > 1. Packets which are diverted to natd are reinjected into the ipfw ruleset > at the following rule (actually 'man 8 natd' does say this). The packets > do retain their 'in via ' tag. 'man 4 divert' documents the > mechanism which makes this possible. > > 2. Incoming IPSEC packets pass _twice_ through the ipfw rules: once in > their encapsulated form (protocol 50), and when decrypted they pass > through the whole ruleset again, retaining their 'in via ' tag. > > The second rule makes things a bit of a mess. For starters, you need two > rules to permit IPSEC traffic through, one in encrypted and one in decrypted > form: > > add 1000 allow esp from to in via fxp0 > add 1010 allow ip from 10.0.1.0/24 to 10.0.2.0/24 in via fxp0 > > Now, it seems ipfw cannot tell the difference between a packet which came > 'in via fxp0' in the clear, or 'in via fxp0' as IPSEC which was successfully > decrypted and authenticated. > > It is not clear what happens if someone spoofs a packet with a 10.0.x source > and dest address and injects it into the outside interface of the firewall; > hopefully the IPSEC policy (/require) catches this case and drops the > packet, but I would feel much happier with an explicit ipfw antispoofing > rule. I've noticed this with IP Filter as well. For applications where this is a critical issue, I use the pipsecd port, allowing me to filter on the external interface (xl0, fxp0, etc), e.g. AH and ESP, and the tun(4) interface that pipsecd is attached to, e.g. TCP, UDP, ICMP. I realise that this was discussed on this list within the past 6 months and that one the KAME developers (KAME is obviously IPv6 focused) indicated that IPv6 addressing would not allow for IPSec packets being filtered on an interface because IPv6 addresses span all interfaces. (I realise I'm not quoting this exactly, or may have even got the quote completely wrong however that's what it boils down to IPv4 users trying to use KAME IPSec). As far as solutions go, I don't have one, other than continue to use pipsecd for situations that need this kind of filtering. Just sort of thinking out loud here, would some kind of daemon (or other facility), that would attach itself to a tun(4) (or other) interface, like pipsecd does, but use the kernel's IPSec facility to encrypt and encapsulate the packets instead of its own, then inject them into the external interface be of use? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message