From owner-freebsd-bugs@FreeBSD.ORG Tue Sep 27 04:00:18 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12525106566B for ; Tue, 27 Sep 2011 04:00:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CC2A18FC12 for ; Tue, 27 Sep 2011 04:00:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8R40GRR020724 for ; Tue, 27 Sep 2011 04:00:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8R40Ge7020723; Tue, 27 Sep 2011 04:00:16 GMT (envelope-from gnats) Resent-Date: Tue, 27 Sep 2011 04:00:16 GMT Resent-Message-Id: <201109270400.p8R40Ge7020723@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Grant Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83BE7106564A for ; Tue, 27 Sep 2011 03:51:43 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 59A5F8FC08 for ; Tue, 27 Sep 2011 03:51:43 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p8R3pgVM084532 for ; Tue, 27 Sep 2011 03:51:42 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p8R3pgNl084531; Tue, 27 Sep 2011 03:51:42 GMT (envelope-from nobody) Message-Id: <201109270351.p8R3pgNl084531@red.freebsd.org> Date: Tue, 27 Sep 2011 03:51:42 GMT From: Matthew Grant To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/161058: enc0 not capturing outgoing IPSEC encrypted transport IPv6 traffic from host X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 04:00:18 -0000 >Number: 161058 >Category: kern >Synopsis: enc0 not capturing outgoing IPSEC encrypted transport IPv6 traffic from host >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 27 04:00:16 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthew Grant >Release: 8.2-p2 >Organization: Net24 Ltd >Environment: FreeBSD dns-slave0.devel.net.nz 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 #3: Mon Sep 26 09:23:45 NZDT 2011 root@dns-slave0.devel.net.nz:/usr/obj/usr/src/sys/IPSEC amd64 >Description: Outgoing IPv6 host traffic that is to be encrypted is not being captured by the enc0 device. IPFW only sees it as esp. tcpdump cannot see it either. This is after trying all combinations of the sysctl flags. /etc/sysctl.conf: # Set up IPSEC filtering net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 net.inet.ipsec.ecn=1 net.inet.ipsec.filtertunnel=0 net.inet.ip.fw.one_pass=0 This has been tried with IPv6 directly on em0, and over an IPv6 sit6 gif tunnel. It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. >How-To-Repeat: It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking. This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties. ifconfig enc0 up. Make sure net.enc.out/in are set to default or as: net.enc.out.ipsec_bpf_mask=0x00000003 net.enc.out.ipsec_filter_mask=0x00000003 net.enc.in.ipsec_bpf_mask=0x00000001 net.enc.in.ipsec_filter_mask=0x00000001 Incoming IPv6 traffic will be observed, and none of the outgoing traffic from the host. In the Ipv4 equivalent, outgoing traffic will be observed and in ipfw will show up as coming from the enc0 device. Incoming IPv6 traffic will be matched in ipfw on rules with the 'ipsec' property set. >Fix: >Release-Note: >Audit-Trail: >Unformatted: