From owner-freebsd-net@FreeBSD.ORG Mon Mar 24 12:45:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92DE41065673 for ; Mon, 24 Mar 2008 12:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5E6048FC26 for ; Mon, 24 Mar 2008 12:45:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id F1D8F41C75C; Mon, 24 Mar 2008 13:45:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id vmLVUgcgbH74; Mon, 24 Mar 2008 13:45:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 9CE0B41C75B; Mon, 24 Mar 2008 13:45:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 9AA0744487F; Mon, 24 Mar 2008 12:41:09 +0000 (UTC) Date: Mon, 24 Mar 2008 12:41:09 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <46B044E9.50404@zyxel.com.tw> Message-ID: <20080324103345.K50685@maildrop.int.zabbadoz.net> References: <46B044E9.50404@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: IPsec AH tunneling pakcet mis-handling? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2008 12:45:07 -0000 On Wed, 1 Aug 2007, blue wrote: Hi, > Dear all: > > I do not know the purpose of the following codes in the very beginning in > ip6_input(): > > #ifdef IPSEC > /* > * should the inner packet be considered authentic? > * see comment in ah4_input(). > */ > if (m) { > m->m_flags &= ~M_AUTHIPHDR; > m->m_flags &= ~M_AUTHIPDGM; > } > #endif > > Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the > end point of the tunnel. After it tore off the outer IPv6 header, the mbuf > will be inserted to NETISR again. Then ip6_forward() will be called again to > process the packet. However, in ipsec6_in_reject(), the packet's source and > destination will match the SP entry. Since ip6_input() has truned off the > flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped. > > I don't think with the codes AH tunnel could work properly. I was pointed at this. I am a bit unsure about your setup as you are talking about "AH tunneled" and "encrypted" while at the end it's "AH tunnel" only. So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...? Can you describe the setup this would be a problem in detail and maybe file a PR so this won't be lost again. We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I could look into both at the same time I guess. PS: I am assuming this was with (Fast) IPsec, not KAME IPsec implementation? The date was too close to the change, so I thought it might be better asking;-) Thanks /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.