From owner-freebsd-bugs@FreeBSD.ORG Fri Apr 9 16:20:20 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA9416A4CE for ; Fri, 9 Apr 2004 16:20:20 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CB2E43D1D for ; Fri, 9 Apr 2004 16:20:20 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i39NKKbv022620 for ; Fri, 9 Apr 2004 16:20:20 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i39NKKGM022619; Fri, 9 Apr 2004 16:20:20 -0700 (PDT) (envelope-from gnats) Date: Fri, 9 Apr 2004 16:20:20 -0700 (PDT) Message-Id: <200404092320.i39NKKGM022619@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Joachim Schueth Subject: Re: kern/57760: IPsec policy on inbound trafic is not enforced(allows spoofing) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Joachim Schueth List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 23:20:20 -0000 The following reply was made to PR kern/57760; it has been noted by GNATS. From: Joachim Schueth To: freebsd-gnats-submit@FreeBSD.org, dl2kcd@darc.de Cc: Subject: Re: kern/57760: IPsec policy on inbound trafic is not enforced (allows spoofing) Date: Sat, 10 Apr 2004 01:09:47 +0200 Hi, it is KAME IPsec on FreeBSD 4.8-RELEASE-p13: options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security The IP related kernel config diffs relative to GENERIC are: #options INET6 #IPv6 communications protocols options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity I tried your setkey script, loaded before starting the TCP connection, but again see the following: 00:48:53.244725 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x1): 1043 > 22: S 3733473463:3733473463(0) win 57344 (DF) 00:48:53.245627 192.168.64.70.22 > 192.168.64.50.1043: S 3686763453:3686763453(0) ack 3733473464 win 57344 (DF) 00:48:53.245717 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x2): 1043 > 22: . ack 1 win 57920 (DF) 00:48:53.256277 192.168.64.70.22 > 192.168.64.50.1043: P 1:40(39) ack 1 win 57920 (DF) 00:48:53.256549 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x3): 1043 > 22: P 1:40(39) ack 40 win 57920 (DF) 00:48:53.271242 192.168.64.70.22 > 192.168.64.50.1043: P 40:576(536) ack 40 win 57920 (DF) So .50 connects to .70 with AH, .70 replies without AH, but the connection continues anyways. The security policies displayed with setkey -DP are: On 192.168.64.50: 192.168.64.70[any] 192.168.64.50[any] any in ipsec ah/transport//require spid=9 seq=1 pid=352 refcnt=1 192.168.64.50[any] 192.168.64.70[any] any out ipsec ah/transport//require spid=10 seq=0 pid=352 refcnt=1 On 192.168.64.70: No SPD entries. Obviously, 192.168.64.50 ignores the policy in inbound traffic. Joachim Schueth