From owner-freebsd-net@FreeBSD.ORG  Tue Mar 22 05:38:26 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8380C106566C
	for <freebsd-net@freebsd.org>; Tue, 22 Mar 2011 05:38:26 +0000 (UTC)
	(envelope-from ddesimone@verio.net)
Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net
	[131.103.218.177])
	by mx1.freebsd.org (Postfix) with ESMTP id 2EB188FC14
	for <freebsd-net@freebsd.org>; Tue, 22 Mar 2011 05:38:25 +0000 (UTC)
Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net
	[198.87.7.164])
	by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 607AA1FF00ED
	for <freebsd-net@freebsd.org>; Tue, 22 Mar 2011 01:11:34 -0400 (EDT)
Thread-Index: AcvoT5ufwaBwAotiQw6RugeYzzPmxA==
Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.2.53]) by
	iad-wprd-xchw01.corp.verio.net over TLS secured channel with
	Microsoft SMTPSVC(6.0.3790.4675); Tue, 22 Mar 2011 01:11:30 -0400
Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation);
	Tue, 22 Mar 2011 00:11:29 -0500
Content-Transfer-Encoding: 7bit
Date: Tue, 22 Mar 2011 00:11:29 -0500
From: "David DeSimone" <fox@verio.net>
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
Importance: normal
Priority: normal
To: <freebsd-net@freebsd.org>
Message-ID: <20110322051128.GM9636@verio.net>
Mail-Followup-To: freebsd-net@freebsd.org
References: <cabf825bc3c602d1a1b638fa9aae35da@localhost>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Disposition: inline
In-reply-to: <cabf825bc3c602d1a1b638fa9aae35da@localhost>
Precedence: bulk
User-Agent: Mutt/1.5.20 (2009-12-10)
X-OriginalArrivalTime: 22 Mar 2011 05:11:31.0056 (UTC)
	FILETIME=[9AFD8F00:01CBE84F]
Subject: Re: tcp/ip stack sending icmp "ttl exceeded in traffic" back
	through gre \w ipsec-esp encryption tunnels.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2011 05:38:26 -0000

Andrei Manescu - Ivorde <andrei.manescu@ivorde.ro> wrote:
>
> Problem: RouterA and RouterB in the following
> diagram are FreeBSD 6.4-STABLE and 7.4-STABLE running a gre tunnel and
> ipsec transport mode encryption on top of it. 
> 
> None of them send an icmp
> error "TTL Exceeded in traffic" when the TTL of the packet reaches 0 after
> they decrement it.  Code:
> 
> hostA----RouterA--GRE-inside-IPSEC/ESP/transport---RouterB---hostB
> 
> Packets
> sent from hostA to hostB with a TTL2 that should have an ICMP "TTL
> exceeded in traffic" returned by RouterB have no effect. 

Isn't this by design?

An ICMP reply might be sent to an unrelated router hop, meaning there is
no security association for it.  Since that ICMP reply will contain the
the header of the expired packet, sending that reply will take a packet
that was encrypted, and send part of it back, unencrypted.  This could
potentially provide an attacker with some known plaintext with which to
attack your VPN's encryption keys.

-- 
David DeSimone == Network Admin == fox@verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.