Date: Fri, 23 Mar 2001 00:33:54 +0900 From: Jun-ichiro itojun Hagino <itojun@iijlab.net> To: Mike Harding <mvh@ix.netcom.com> Cc: freebsd-security@freebsd.org Subject: Re: IPSEC/VPN/NAT and filtering Message-ID: <20010322153354.839F17E75@starfruit.itojun.org> In-Reply-To: mvh's message of Thu, 22 Mar 2001 07:20:26 PST. <20010322152026.1996C1142A7@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>I am not part of the FreeBSD team, but I would like to do a little >work to incorporate this functionality and ideally I can present it to >the right folks and get it folded in. Of course if you are merging >your code back in then that would be fine as well... > >One more question, could you tell me what the following flags mean? > >#define M_LOOP M_PROTO4 >#define M_AUTHIPDGM M_PROTO5 these flags are basically for inbound processing, and has the following meanings: M_AUTHIPDGM: IP payload portion went through AH validation, or ESP checksum M_AUTHIPHDR: IP header portion went through AH validation M_DECRYPTED: IP payload was encrypted by ESP and decrypted note that M_AUTHxx will be ripped off when tunnel decapsulation happens, as with the following packet, AH authenticates the outer packet not the inner (IP2 could have been injected by a bad guy). IP1 AH IP2 payload also, these flags are used to avoid leaking secret information on icmp responses (we don't want to attach decyrpted packet into icmp responses, so we don't attach it if flags are raised). >I assume that M_AUTHIPDGM is _always_ set for good packets, esp and >ah, and thus is a good check for skipping the packet filter for packet >input. I think that packet output doesn't need any special >processing, but I will check into it. the issue here is not about "bypass the packet filters if the packet carries AH", doing so may not meet local policy. some cases we want to filter packets with AH out, like based on TCP header or whatever. it is about "do not let tunnelled packets go through ip packet filter twice". in this sense, checking like below is a bit confusing. need some comment lines here. > >#ifdef IPSEC > >+ if (m->m_flags & (M_DECRYPTED | M_AUTHIPHDR)) > >+ goto pass; > >+#endif itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322153354.839F17E75>