From owner-freebsd-bugs  Sun Mar 26 11:10: 4 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id A65FF37B865
	for <freebsd-bugs@FreeBSD.org>; Sun, 26 Mar 2000 11:10:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id LAA28755;
	Sun, 26 Mar 2000 11:10:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by hub.freebsd.org (Postfix) with ESMTP id A69DF37B933
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 26 Mar 2000 11:06:02 -0800 (PST)
	(envelope-from louie@whizzo.transsys.com)
Received: (from louie@localhost)
	by whizzo.transsys.com (8.9.3/8.9.1) id OAA00589;
	Sun, 26 Mar 2000 14:06:01 -0500 (EST)
	(envelope-from louie)
Message-Id: <200003261906.OAA00589@whizzo.transsys.com>
Date: Sun, 26 Mar 2000 14:06:01 -0500 (EST)
From: Louis Mamakos <louie@TransSys.COM>
Reply-To: louie@TransSys.COM
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/17606: traceroute vs. IPSEC surprise
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         17606
>Category:       bin
>Synopsis:       traceroute vs. IPSEC surprise
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 26 11:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Louis Mamakos
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:

FreeBSD 5.0-current, with IPSECv4 configured.

>Description:

When doing a traceroute to a destination host, the packets emitted are
subject to whatever the default IPSEC policy is.  If the default
policy is to use an encrypted payload for all traffic to the
destination, the intermediate hops are unable to return an ICMP time
exceeded error.

>How-To-Repeat:

As described.

>Fix:

I dunno.  This could be a documentation bug.  This might be solved
by having traceroute supply it's own IPSEC policy to not send encrypted
traffic as long as reponses are being returned by intermediate hops.
It's unclear if this is a bug or a feature.



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message