From owner-freebsd-questions Tue Dec 18 16: 9:32 2001 Delivered-To: freebsd-questions@freebsd.org Received: from thor.piqnet.org (adsl-66-125-235-59.dsl.sntc01.pacbell.net [66.125.235.59]) by hub.freebsd.org (Postfix) with ESMTP id B1BC837B416 for ; Tue, 18 Dec 2001 16:09:29 -0800 (PST) Received: (from joelh@localhost) by thor.piqnet.org (8.11.6/8.11.6) id fBJ09SE16388; Tue, 18 Dec 2001 16:09:28 -0800 (PST) (envelope-from joelh@gnu.org) To: freebsd-questions@freebsd.org Subject: IPSec: Is it possible to require tunnel AH? From: Joel Ray Holveck Date: 18 Dec 2001 16:09:28 -0800 Message-ID: <87y9k0vznr.fsf@thor.piqnet.org> Lines: 56 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've been having trouble with the use of AH in a tunnel context. I don't see any way to require AH on incoming packets with IPv4. Consider the following fragment: spdadd 192.168.13.8/32 0.0.0.0/0 any -P in ipsec ah/tunnel/192.168.13.8-192.168.13.2/use ; If I switch 'use' to 'require', then all packets are rejected. I can give you more context if you like, but I didn't want to make my question overly long; in a nutshell, the 192.168.13.8 box is on an 802.11 network. Note that the handbook uses this in an example: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html in the section on IPv4 tunnel mode. If there is no 'require' ability, then what is the use of tunnel mode AH? In this instance, I don't care if the rest of the Internet had done icky stuff before the tunnel endpoint, because I can filter that out at or before said endpoint. I think this hinges around the following bit of code, from /sys/netinet6/ah_input.c: #if 1 /* * Should the inner packet be considered authentic? * My current answer is: NO. * * host1 -- gw1 === gw2 -- host2 * In this case, gw2 can trust the authenticity of the * outer packet, but NOT inner. Packet may be altered * between host1 and gw1. * * host1 -- gw1 === host2 * This case falls into the same scenario as above. * * host1 === host2 * This case is the only case when we may be able to leave * M_AUTHIPHDR and M_AUTHIPDGM set. * However, if host1 is wrongly configured, and allows * attacker to inject some packet with src=host1 and * dst=host2, you are in risk. */ m->m_flags &= ~M_AUTHIPHDR; m->m_flags &= ~M_AUTHIPDGM; #endif Thanks, joelh -- Joel Ray Holveck - joelh@gnu.org Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message