Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Mar 2008 21:08:21 +0800
From:      blue <susan.lan@zyxel.com.tw>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPsec AH tunneling pakcet mis-handling?
Message-ID:  <47E7A7C5.2090509@zyxel.com.tw>
In-Reply-To: <20080324103345.K50685@maildrop.int.zabbadoz.net>
References:  <46B044E9.50404@zyxel.com.tw> <20080324103345.K50685@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Sorry, maybe my words make you confused.

What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which 
is currently IPSEC in FreeBSD-7.0.

BR,
Yi-Wen

Bjoern A. Zeeb wrote:

> On Wed, 1 Aug 2007, blue wrote:
>
> Hi,
>
>
>> Dear all:
>>
>> I do not know the purpose of the following codes in the very 
>> beginning in ip6_input():
>>
>> #ifdef IPSEC
>>   /*
>>    * should the inner packet be considered authentic?
>>    * see comment in ah4_input().
>>    */
>>   if (m) {
>>       m->m_flags &= ~M_AUTHIPHDR;
>>       m->m_flags &= ~M_AUTHIPDGM;
>>   }
>> #endif
>>
>> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD 
>> is the end point of the tunnel. After it tore off the outer IPv6 
>> header, the mbuf will be inserted to NETISR again. Then ip6_forward() 
>> will be called again to process the packet. However, in 
>> ipsec6_in_reject(), the packet's source and destination will match 
>> the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR 
>> and M_AUTHIPDGM, the packet will be dropped.
>>
>> I don't think with the codes AH tunnel could work properly.
>
>
> I was pointed at this.
>
> I am a bit unsure about your setup as you are talking about "AH
> tunneled" and "encrypted" while at the end it's "AH tunnel" only.
> So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...?
>
> Can you describe the setup this would be a problem in detail and maybe
> file a PR so this won't be lost again.
>
> We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I
> could look into both at the same time I guess.
>
> PS: I am assuming this was with (Fast) IPsec, not KAME IPsec
> implementation? The date was too close to the change, so I thought it
> might be better asking;-)
>
> Thanks
> /bz
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47E7A7C5.2090509>