From owner-freebsd-net@FreeBSD.ORG Mon Mar 24 18:30:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61EEB106566C for ; Mon, 24 Mar 2008 18:30:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id EC1888FC35 for ; Mon, 24 Mar 2008 18:30:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id A8C4B41C749; Mon, 24 Mar 2008 19:30:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id fXvbBk+lfj+E; Mon, 24 Mar 2008 19:30:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 4E68E41C75B; Mon, 24 Mar 2008 19:30:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 5A3CD44487F; Mon, 24 Mar 2008 18:25:44 +0000 (UTC) Date: Mon, 24 Mar 2008 18:25:43 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <47E7A7C5.2090509@zyxel.com.tw> Message-ID: <20080324182452.B50685@maildrop.int.zabbadoz.net> References: <46B044E9.50404@zyxel.com.tw> <20080324103345.K50685@maildrop.int.zabbadoz.net> <47E7A7C5.2090509@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: IPsec AH tunneling pakcet mis-handling? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2008 18:30:08 -0000 On Mon, 24 Mar 2008, blue wrote: Hi, > Sorry, maybe my words make you confused. > > What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which is > currently IPSEC in FreeBSD-7.0. thanks for the clarification. Can you open a PR with all this information so a) it woon't be lost and b) you'll get feedback. Get it assigned to bz@ Thanks > BR, > Yi-Wen > > Bjoern A. Zeeb wrote: > >> On Wed, 1 Aug 2007, blue wrote: >> >> Hi, >> >> >>> Dear all: >>> >>> I do not know the purpose of the following codes in the very beginning in >>> ip6_input(): >>> >>> #ifdef IPSEC >>> /* >>> * should the inner packet be considered authentic? >>> * see comment in ah4_input(). >>> */ >>> if (m) { >>> m->m_flags &= ~M_AUTHIPHDR; >>> m->m_flags &= ~M_AUTHIPDGM; >>> } >>> #endif >>> >>> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is >>> the end point of the tunnel. After it tore off the outer IPv6 header, the >>> mbuf will be inserted to NETISR again. Then ip6_forward() will be called >>> again to process the packet. However, in ipsec6_in_reject(), the packet's >>> source and destination will match the SP entry. Since ip6_input() has >>> truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be >>> dropped. >>> >>> I don't think with the codes AH tunnel could work properly. >> >> >> I was pointed at this. >> >> I am a bit unsure about your setup as you are talking about "AH >> tunneled" and "encrypted" while at the end it's "AH tunnel" only. >> So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...? >> >> Can you describe the setup this would be a problem in detail and maybe >> file a PR so this won't be lost again. >> >> We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I >> could look into both at the same time I guess. >> >> PS: I am assuming this was with (Fast) IPsec, not KAME IPsec >> implementation? The date was too close to the change, so I thought it >> might be better asking;-) >> >> Thanks >> /bz >> > -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.