Date: Thu, 13 Jun 2002 08:18:58 -0700 (PDT) From: Atul Sharma <atul.sharma@nokia.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/39233: NonConforming IPsec implementation from FreeBSD(Kame): AH doesnot interoperate Message-ID: <200206131518.g5DFIwY6058866@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 39233
>Category: kern
>Synopsis: NonConforming IPsec implementation from FreeBSD(Kame): AH doesnot interoperate
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 13 08:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Atul Sharma
>Release: 4.5-RELEASE FreeBSD racoon 1.18
>Organization:
Nokia Internet Communications, Nokia
>Environment:
FreeBSD rnc2.iprg.nokia.com 4.5-RELEASE FreeBSD 4.5-RELEASE #6
>Description:
Recently while interopertaing Nokia IPxxx boxes' IPsec with FreeBSD Kame IPsec we found problems with AH, (while Nokia interoperated with Cisco and Win2k for all modes).
Looking at the Kame code there are following problems:
(1) for IPv4 mutable fields TOS, Flags, Fragment offset are
not zeroed out before calculating ICV in the routine
ah4_calcchecksum() in file ah_core.c like RFC 2402 says.
(2) AH tunnel mode is not supported.
Even though the code is there, AH tunnel mode is switched
off stating that we cannot consider the inner IP packet as
really authenticated, as it could have been tampered with
between the host and the tunnel endpoint. It is just the
outer IP packet which can be considered authenticated.
Should we make an implementation un-interoperable because
of this concern?
Interestingly, AH tunnel for IPv6 still works, despite an
attempt to switch it off, because of the way SPD for IPv6
case is setup.!!
>How-To-Repeat:
Take a FreeBSD RELEASE 4.5 box and a NOkia IPxxx platform running
IPSO3.6:
-- Here is the setup
BSD (rnc2) <----> IPSO (ipdsqa190)
-- The systems are connected back to back
-- The BSD is running FreeBSD 4.5 with racoon 1.18
-- The following combinations work fine between the
systems:
Transport Mode:
IPv6 with ESP and AH
IPv4 with ESP and AH
Tunnel Mode:
IPv6 with ESP and AH
IPv4 in ESP
-- Just the IPv4 AH case doesn't work.
-- If the ping starts from IPSO box, I see echo
request in tcpdump but no replies i.e. bsd drops the
request itself
-- If the ping starts from BSD box, I see both echo
request and replies in tcpdump but no output in the
ping program. So BSD drops the replies.
-- In both the cases, BSD is dropping IPSO's IPv4 AH
packets
-- All the other combinations just work fine so I
really don't think that I am configuring something
wrong.
>Fix:
in ah4_calccksum() zero out iphdr.ip_tos and ip_hdr.ip_off
lines 756-758.
in ah_input.c lines 467-468, donot disable M_AUTHIPHDR and
M_AUTHIPDGM in the m->m_flags.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206131518.g5DFIwY6058866>