From owner-freebsd-net@FreeBSD.ORG Mon Mar 24 13:22:22 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E254E106564A for ; Mon, 24 Mar 2008 13:22:22 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66]) by mx1.freebsd.org (Postfix) with ESMTP id 9069F8FC14 for ; Mon, 24 Mar 2008 13:22:22 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw with Microsoft SMTPSVC(6.0.3790.1830); Mon, 24 Mar 2008 21:10:17 +0800 Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 24 Mar 2008 21:10:17 +0800 Received: from [172.23.17.24] ([172.23.17.24]) by zytwfe01.zyxel.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 24 Mar 2008 21:10:17 +0800 Message-ID: <47E7A7C5.2090509@zyxel.com.tw> Date: Mon, 24 Mar 2008 21:08:21 +0800 From: blue User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <46B044E9.50404@zyxel.com.tw> <20080324103345.K50685@maildrop.int.zabbadoz.net> In-Reply-To: <20080324103345.K50685@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Mar 2008 13:10:17.0101 (UTC) FILETIME=[678B6BD0:01C88DB0] Cc: freebsd-net@freebsd.org Subject: Re: IPsec AH tunneling pakcet mis-handling? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2008 13:22:23 -0000 Sorry, maybe my words make you confused. What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which is currently IPSEC in FreeBSD-7.0. BR, Yi-Wen Bjoern A. Zeeb wrote: > On Wed, 1 Aug 2007, blue wrote: > > Hi, > > >> Dear all: >> >> I do not know the purpose of the following codes in the very >> beginning in ip6_input(): >> >> #ifdef IPSEC >> /* >> * should the inner packet be considered authentic? >> * see comment in ah4_input(). >> */ >> if (m) { >> m->m_flags &= ~M_AUTHIPHDR; >> m->m_flags &= ~M_AUTHIPDGM; >> } >> #endif >> >> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD >> is the end point of the tunnel. After it tore off the outer IPv6 >> header, the mbuf will be inserted to NETISR again. Then ip6_forward() >> will be called again to process the packet. However, in >> ipsec6_in_reject(), the packet's source and destination will match >> the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR >> and M_AUTHIPDGM, the packet will be dropped. >> >> I don't think with the codes AH tunnel could work properly. > > > I was pointed at this. > > I am a bit unsure about your setup as you are talking about "AH > tunneled" and "encrypted" while at the end it's "AH tunnel" only. > So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...? > > Can you describe the setup this would be a problem in detail and maybe > file a PR so this won't be lost again. > > We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I > could look into both at the same time I guess. > > PS: I am assuming this was with (Fast) IPsec, not KAME IPsec > implementation? The date was too close to the change, so I thought it > might be better asking;-) > > Thanks > /bz >