From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 8 11:10:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F5E41065672 for ; Tue, 8 Apr 2008 11:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2CB378FC0A for ; Tue, 8 Apr 2008 11:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38BA10H090369 for ; Tue, 8 Apr 2008 11:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38BA1ok090368; Tue, 8 Apr 2008 11:10:01 GMT (envelope-from gnats) Resent-Date: Tue, 8 Apr 2008 11:10:01 GMT Resent-Message-Id: <200804081110.m38BA1ok090368@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, susan.lan@zyxel.com.tw Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70EE3106566B for ; Tue, 8 Apr 2008 11:04:45 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213]) by mx1.freebsd.org (Postfix) with ESMTP id D99108FC0C for ; Tue, 8 Apr 2008 11:04:44 +0000 (UTC) (envelope-from atc@death.ath.cx) Received: from death.ath.cx (localhost [127.0.0.1]) by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38B4fHB091489 for ; Tue, 8 Apr 2008 19:04:41 +0800 (CST) (envelope-from atc@death.ath.cx) Received: (from root@localhost) by death.ath.cx (8.13.8/8.13.8/Submit) id m38B4eC7091488; Tue, 8 Apr 2008 19:04:40 +0800 (CST) (envelope-from atc) Message-Id: <200804081104.m38B4eC7091488@death.ath.cx> Date: Tue, 8 Apr 2008 19:04:40 +0800 (CST) From: susan.lan@zyxel.com.tw To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/122562: IPsec AH tunneled packet mis handling? X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: susan.lan@zyxel.com.tw List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 11:10:01 -0000 >Number: 122562 >Category: kern >Synopsis: IPsec AH tunneled packet mis handling? >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 08 11:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Yi-Wen Lan >Release: FreeBSD 7.0-STABLE i386 >Organization: >Environment: System: 2 FreeBSD7.0-Release i386 PCs >Description: In the very beginning of ip6_input(): #ifdef IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). */ if (m) { m->m_flags &= ~M_AUTHIPHDR; m->m_flags &= ~M_AUTHIPDGM; } #endif Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the end point of the tunnel. After it tore off the outer IPv6 header, the mbuf will be inserted to NETISR again. Then ip6_forward() will be called again to process the packet. However, in ipsec6_in_reject(), the packet's source and destination will match the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped. I don't think with the codes AH tunnel could work properly. >How-To-Repeat: Set IPsec rules as AH tunnel for the 2 PCs; send ICMP echo request from one end of the tunnel to the other end. However, the echo reply will never be returned since the packet is not successfully sent out. >Fix: I think the flag should be kept! >Release-Note: >Audit-Trail: >Unformatted: