Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 9 Apr 2004 16:20:20 -0700 (PDT)
From:      Joachim Schueth <spam_vanishes_here@yahoo.de>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/57760: IPsec policy on inbound trafic is not enforced(allows spoofing)
Message-ID:  <200404092320.i39NKKGM022619@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/57760; it has been noted by GNATS.

From: Joachim Schueth <spam_vanishes_here@yahoo.de>
To: freebsd-gnats-submit@FreeBSD.org, dl2kcd@darc.de
Cc:  
Subject: Re: kern/57760: IPsec policy on inbound trafic is not enforced (allows
 spoofing)
Date: Sat, 10 Apr 2004 01:09:47 +0200

 Hi,
 
 it is KAME IPsec on FreeBSD 4.8-RELEASE-p13:
 
 options         IPSEC                   #IP security
 options         IPSEC_ESP               #IP security (crypto; define w/ IPSEC)
 options         IPSEC_DEBUG             #debug for IP security
 
 The IP related kernel config diffs relative to GENERIC are:
 
 #options      INET6                   #IPv6 communications protocols
 options       IPFIREWALL              #firewall
 options       IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
 options       IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
 
 I tried your setkey script, loaded before starting the TCP connection,
 but again see the following:
 
 00:48:53.244725 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x1): 1043 > 22: S 3733473463:3733473463(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 1439648[|tcp]> (DF)
 00:48:53.245627 192.168.64.70.22 > 192.168.64.50.1043: S 3686763453:3686763453(0) ack 3733473464 win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 117291739 1439648> (DF)
 00:48:53.245717 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x2): 1043 > 22: . ack 1 win 57920 <nop,nop,timestamp 1439649 117291739> (DF)
 00:48:53.256277 192.168.64.70.22 > 192.168.64.50.1043: P 1:40(39) ack 1 win 57920 <nop,nop,timestamp 117291740 1439649> (DF)
 00:48:53.256549 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x3): 1043 > 22: P 1:40(39) ack 40 win 57920 <nop,nop,timestamp 1439660 117291740> (DF)
 00:48:53.271242 192.168.64.70.22 > 192.168.64.50.1043: P 40:576(536) ack 40 win 57920 <nop,nop,timestamp 117291742 1439660> (DF)
 
 So .50 connects to .70 with AH, .70 replies without AH, but the connection
 continues anyways. The security policies displayed with setkey -DP are:
 
 On 192.168.64.50:
 
    192.168.64.70[any] 192.168.64.50[any] any
            in ipsec
            ah/transport//require
            spid=9 seq=1 pid=352
            refcnt=1
    192.168.64.50[any] 192.168.64.70[any] any
            out ipsec
            ah/transport//require
            spid=10 seq=0 pid=352
            refcnt=1
 
 On 192.168.64.70:
 
    No SPD entries.
 
 Obviously, 192.168.64.50 ignores the policy in inbound traffic.
 
 Joachim Schueth

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404092320.i39NKKGM022619>