Date: Mon, 21 Aug 2017 15:09:12 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>, "freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org> Subject: Re: IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules. Message-ID: <a1a0e448-a21f-3e4d-85e8-f3136b6ff516@yandex.ru> In-Reply-To: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> References: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK
Content-Type: multipart/mixed; boundary="nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>,
"freebsd-security@freebsd.org" <freebsd-security@FreeBSD.org>
Message-ID: <a1a0e448-a21f-3e4d-85e8-f3136b6ff516@yandex.ru>
Subject: Re: IPSEC anomaly on FreeBSD11.1S when specifying specific port in
policy rules.
References: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au>
In-Reply-To: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au>
--nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 17.08.2017 06:50, Dewayne Geraghty wrote:
> I was about to send to @freebsd-stable until I realised that there are
> security implications for folks that may be using this, thinking that
> their confidential material is protected, which may not be entirely cor=
rect.
Hi,
I think this was broken by me in r275710.
This SYN+ACK packet is sent by syncache code directly when PCB is not
yet created. And due to missing inpcb pointer this packet is considered
as "forwarded" and thus TCP ports are not filled properly for SP lookup.
We can fix this in two ways:
1. Always fill ports. This will add a small extra overhead, but will
solve restriction described in the setkey(8):
NOTE: upperspec does not work in the forwarding case at this
moment, as it requires extra reassembly at forwarding node, which
is not implemented at this moment.
2. Resurrect the flags argument and always fill ports when not forwarding=
=2E
What is the best solution?
--=20
WBR, Andrey V. Elsukov
--nm0xx5K4MV0g9oTkla59UUU3hBLoHC0jm--
--qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlmazWgACgkQAcXqBBDI
oXq5XQf/Y41aejNvTNgaxjZ9YIQfuTQSYbzk0NakHov1Iq9uiYUCCGsHVUroQ1UE
7TAiV+DD+nqHjzBUwlRIeCkqbNAj8njdth2I4eQiSmHIAbK8pNCTuk2VMIV5FKdv
zIGXm7pMJyNtvcan3++caxIusXX9g4zHh8abQ7IuYyPYdW1izPz6WDsxXAANyMb4
vuGdkqDBD20BzlOXBGQnxEZI5ROXSIkZEjYOTJOnBQ+A+rphm93GHZvGrsq77xoH
g3gA+LOJtwKjCI4BUJevFA3+a68sscU2M31WXR1KWgJtjBwja6RLQG7RVNArQwSx
FmewroyVjVOdS5IbuGJ36XuYEGYVeQ==
=ucRs
-----END PGP SIGNATURE-----
--qQaBnMJPdM6KxcvJhi7pf3LBAnjt8SDPK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a1a0e448-a21f-3e4d-85e8-f3136b6ff516>