Date: Thu, 17 Aug 2017 13:50:13 +1000 From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> To: "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org> Subject: IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules. Message-ID: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au>
next in thread | raw e-mail | index | archive | help
I was about to send to @freebsd-stable until I realised that there are security implications for folks that may be using this, thinking that their confidential material is protected, which may not be entirely correct. --- Would appreciate others testing/confirming TCP over ESP as it seems to have a problem on 11.1Stable when specifying a specific port in policy. Performing this simple netcat test >From Origin 10.0.7.6 ipfw 1 zero ; echo hi | nc -4nv -w 2 10.0.7.91 5000 ; ipfw show 1 Connection to 10.0.7.91 5000 port [tcp/*] succeeded! 00001 8 736 allow esp from any to any 00001 0 0 allow udp from any to any dst-port 5000 00001 0 0 allow udp from any 5000 to any 00001 0 0 allow tcp from any to any dst-port 5000 00001 1 60 allow tcp from any 5000 to any >From Destination 10.0.7.91 ipfw 1 zero ; ipfw 2 zero ; ipfw 3 zero ; nc -l 10.0.7.91 5000 ; ipfw show 1-3 00002 0 0 allow tcp from any 5000 to any via enc0 00002 0 0 allow tcp from any 5000 to any via lo0 00002 1 60 allow tcp from any 5000 to any via white 00003 8 736 allow esp from any to any 00003 0 0 allow udp from any to any dst-port 5000 As can be observed there is a return packet that is not, but should be sent over esp. Confirmed via tcpdump on destination 11:23:53.401156 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4c), length 72 11:23:53.401182 IP 10.0.7.91.5000 > 10.0.7.6.23406: Flags [S.], seq 1954279591, ack 2061987609, win 65535, options [mss 1452,nop,wscale 6,sackOK,TS val 2210679095 ecr 2684286289], length 0 11:23:53.401381 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4d), length 72 11:23:53.401406 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x19), length 72 11:23:53.402241 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4e), length 72 11:23:53.402355 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4f), length 72 11:23:53.402369 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x1a), length 72 11:23:53.402381 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x1b), length 72 11:23:53.402682 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x50), length 72 Still on destination, the policy rules in ipsec.conf contain: # udp spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] udp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] udp -P in ipsec esp/transport/10.0.7.6-10.0.7.91/require; # tcp spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] tcp -P in ipsec esp/transport/10.0.7.6-10.0.7.91/require; To enable traffic to transit correctly over esp, change the third rule from spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; to spdadd 10.0.7.91/32[any] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; While on the origin side, /etc/ipsec.conf contains: # udp 5000 spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] udp -P in ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] udp -P out ipsec esp/transport/10.0.7.6-10.0.7.91/require; # tcp 5000 spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P in ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] tcp -P out ipsec esp/transport/10.0.7.6-10.0.7.91/require; The destination kernel has options IPSEC options IPFIREWALL while the origin kernel has options IPSEC options IPFIREWALL options IPFIREWALL_NAT The sender has been used been extensively used with ipsec since 2014, its 9.2Stable Feb22, 2014; previously as a front for strongswan et al. icmp was also used over esp using the same association rules and they worked correctly. BTW: I did send this to secteam@freebsd.org but it bounced with this explanation: http://www.openspf.org/Why?s=mfrom;id=dewayne.geraghty@heuristicsystems.com.au;ip=8.8.178.116;r=kris@pcbsd.org and my spf records are: heuristicsystems.com.au. 3600 IN TXT "v=spf1 mx ip4:203.41.22.115 -all" heuristicsystems.com.au. 3600 IN TXT "v=spf2.0/mfrom mx ip4:203.41.22.115 -all I don't think that this is the right advice??? Kind regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?321a4895-8c4e-8261-eedf-c93bccd696d0>