From owner-freebsd-net@FreeBSD.ORG  Wed Aug  1 08:31:30 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 213F816A418
	for <freebsd-net@freebsd.org>; Wed,  1 Aug 2007 08:31:30 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id BFF8213C457
	for <freebsd-net@freebsd.org>; Wed,  1 Aug 2007 08:31:29 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zyfb01-66.zyxel.com.tw
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Wed, 1 Aug 2007 16:31:27 +0800
Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Aug 2007 16:31:27 +0800
Received: from [172.23.17.155] ([172.23.17.155]) by zytwfe01.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Aug 2007 16:31:27 +0800
Message-ID: <46B044E9.50404@zyxel.com.tw>
Date: Wed, 01 Aug 2007 16:31:37 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 01 Aug 2007 08:31:27.0613 (UTC)
	FILETIME=[5A8122D0:01C7D416]
Subject: IPsec AH tunneling pakcet mis-handling?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2007 08:31:30 -0000

Dear all:

I do not know the purpose of the following codes in the very beginning 
in ip6_input():

#ifdef IPSEC
    /*
     * should the inner packet be considered authentic?
     * see comment in ah4_input().
     */
    if (m) {
        m->m_flags &= ~M_AUTHIPHDR;
        m->m_flags &= ~M_AUTHIPDGM;
    }
#endif

Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is 
the end point of the tunnel. After it tore off the outer IPv6 header, 
the mbuf will be inserted to NETISR again. Then ip6_forward() will be 
called again to process the packet. However, in ipsec6_in_reject(), the 
packet's source and destination will match the SP entry. Since 
ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the 
packet will be dropped.

I don't think with the codes AH tunnel could work properly.

Best regards,

Yi-Wen