From owner-freebsd-security Thu Mar 22 7:34:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from starfruit.itojun.org (ipv6host1.laptops.meeting.ietf.org [135.222.63.249]) by hub.freebsd.org (Postfix) with ESMTP id DEE1137B71A for ; Thu, 22 Mar 2001 07:34:15 -0800 (PST) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by starfruit.itojun.org (Postfix) with ESMTP id 839F17E75; Fri, 23 Mar 2001 00:33:54 +0900 (JST) To: Mike Harding Cc: freebsd-security@freebsd.org In-reply-to: mvh's message of Thu, 22 Mar 2001 07:20:26 PST. <20010322152026.1996C1142A7@netcom1.netcom.com> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPSEC/VPN/NAT and filtering From: Jun-ichiro itojun Hagino Date: Fri, 23 Mar 2001 00:33:54 +0900 Message-Id: <20010322153354.839F17E75@starfruit.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I am not part of the FreeBSD team, but I would like to do a little >work to incorporate this functionality and ideally I can present it to >the right folks and get it folded in. Of course if you are merging >your code back in then that would be fine as well... > >One more question, could you tell me what the following flags mean? > >#define M_LOOP M_PROTO4 >#define M_AUTHIPDGM M_PROTO5 these flags are basically for inbound processing, and has the following meanings: M_AUTHIPDGM: IP payload portion went through AH validation, or ESP checksum M_AUTHIPHDR: IP header portion went through AH validation M_DECRYPTED: IP payload was encrypted by ESP and decrypted note that M_AUTHxx will be ripped off when tunnel decapsulation happens, as with the following packet, AH authenticates the outer packet not the inner (IP2 could have been injected by a bad guy). IP1 AH IP2 payload also, these flags are used to avoid leaking secret information on icmp responses (we don't want to attach decyrpted packet into icmp responses, so we don't attach it if flags are raised). >I assume that M_AUTHIPDGM is _always_ set for good packets, esp and >ah, and thus is a good check for skipping the packet filter for packet >input. I think that packet output doesn't need any special >processing, but I will check into it. the issue here is not about "bypass the packet filters if the packet carries AH", doing so may not meet local policy. some cases we want to filter packets with AH out, like based on TCP header or whatever. it is about "do not let tunnelled packets go through ip packet filter twice". in this sense, checking like below is a bit confusing. need some comment lines here. > >#ifdef IPSEC > >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) > >+ goto pass; > >+#endif itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message