From owner-freebsd-net@FreeBSD.ORG  Wed Feb 19 11:23:11 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 21E45E3F
 for <freebsd-net@freebsd.org>; Wed, 19 Feb 2014 11:23:11 +0000 (UTC)
Received: from smtp.novso.com (smtp1.novso.com [193.189.104.85])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id DDAC81A26
 for <freebsd-net@freebsd.org>; Wed, 19 Feb 2014 11:23:10 +0000 (UTC)
Message-ID: <1392808981.10645.15.camel@srv31.corp.novso.com>
Subject: Re: ipsec foils traceroute on gre/gif
From: Nicolas DEFFAYET <nicolas-ml@deffayet.com>
To: David DeSimone <ddesimone@verio.net>
Date: Wed, 19 Feb 2014 11:23:01 +0000
In-Reply-To: <CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD4D1B@IAD-WPRD-XCHB01.corp.verio.net>
References: <201402180613.s1I6DdhS020353@dark.beer.net>
 <CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD4D1B@IAD-WPRD-XCHB01.corp.verio.net>
Organization: DEFFAYET.COM
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3.noclutter 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org, Michael Glasgow <glasgow@beer.net>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 11:23:11 -0000

On Tue, 2014-02-18 at 13:26 -0500, David DeSimone wrote: 
> My understanding of this issue is that replying with an ICMP message for traceroute carries the risk of violating security policy.
> 
> When an ICMP Unreachable packet is generated, the first 64 octets in the packet are copied into the reply.  If the packet was originally encrypted with IPSEC, those octets  were never seen unencrypted on the wire.  If the ICMP Unreachable were permitted to be generated and sent, it could very well reveal the unencrypted IPSEC packet contents on the wire, because the source/destination IP's of the ICMP message no longer matches SPD's.
> 
> Thus the conservative decision in the kernel is to drop the TTL-exceeded packet coming from IPSEC, with no reply.
> 
> In other words, "working as intended."

Is it possible to add a sysctl for turn on/off this per interface or
it's too complex ?

-- 
Nicolas DEFFAYET