Date: Mon, 24 Mar 2008 18:25:43 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: blue <susan.lan@zyxel.com.tw> Cc: freebsd-net@freebsd.org Subject: Re: IPsec AH tunneling pakcet mis-handling? Message-ID: <20080324182452.B50685@maildrop.int.zabbadoz.net> In-Reply-To: <47E7A7C5.2090509@zyxel.com.tw> References: <46B044E9.50404@zyxel.com.tw> <20080324103345.K50685@maildrop.int.zabbadoz.net> <47E7A7C5.2090509@zyxel.com.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Mar 2008, blue wrote:
Hi,
> Sorry, maybe my words make you confused.
>
> What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which is
> currently IPSEC in FreeBSD-7.0.
thanks for the clarification. Can you open a PR with all this
information so a) it woon't be lost and b) you'll get feedback.
Get it assigned to bz@
Thanks
> BR,
> Yi-Wen
>
> Bjoern A. Zeeb wrote:
>
>> On Wed, 1 Aug 2007, blue wrote:
>>
>> Hi,
>>
>>
>>> Dear all:
>>>
>>> I do not know the purpose of the following codes in the very beginning in
>>> ip6_input():
>>>
>>> #ifdef IPSEC
>>> /*
>>> * should the inner packet be considered authentic?
>>> * see comment in ah4_input().
>>> */
>>> if (m) {
>>> m->m_flags &= ~M_AUTHIPHDR;
>>> m->m_flags &= ~M_AUTHIPDGM;
>>> }
>>> #endif
>>>
>>> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is
>>> the end point of the tunnel. After it tore off the outer IPv6 header, the
>>> mbuf will be inserted to NETISR again. Then ip6_forward() will be called
>>> again to process the packet. However, in ipsec6_in_reject(), the packet's
>>> source and destination will match the SP entry. Since ip6_input() has
>>> truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be
>>> dropped.
>>>
>>> I don't think with the codes AH tunnel could work properly.
>>
>>
>> I was pointed at this.
>>
>> I am a bit unsure about your setup as you are talking about "AH
>> tunneled" and "encrypted" while at the end it's "AH tunnel" only.
>> So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...?
>>
>> Can you describe the setup this would be a problem in detail and maybe
>> file a PR so this won't be lost again.
>>
>> We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I
>> could look into both at the same time I guess.
>>
>> PS: I am assuming this was with (Fast) IPsec, not KAME IPsec
>> implementation? The date was too close to the change, so I thought it
>> might be better asking;-)
>>
>> Thanks
>> /bz
>>
>
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080324182452.B50685>