kern/151449: [patch] IPsec SPD rule does not match GIF with IPv6 addresses

Martin Beran mb at tns.cz
Thu Oct 14 10:40:05 UTC 2010 

>Number:         151449
>Category:       kern
>Synopsis:       [patch] IPsec SPD rule does not match GIF with IPv6 addresses
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 14 10:40:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Martin Beran
>Release:        7.1-RELEASE-p13
>Organization:
Trusted Network Solutions, a. s.
>Environment:
FreeBSD builder764.pha.tns.cz 7.1-RELEASE-p13 FreeBSD 7.1-RELEASE-p13 #18: Thu Oct 14 10:08:50 CEST 2010     root at builder764.pha.tns.cz:/usr/obj/usr/src/sys/KERNUN.amd64  amd64
>Description:
I want to secure a GIF tunnel by IPsec. I have a GIF interface with an inet6 address and also inet6 tunnel addresses. I configure Racoon add the following rules to SPD by setkey:
spdadd 2001:470:1f0b:102::1/128 2001:470:1f0b:102:20c:29ff:feed:ce83/128 41 -P in ipsec esp/transport//require;
spdadd 2001:470:1f0b:102:20c:29ff:feed:ce83/128 2001:470:1f0b:102::1/128 41 -P out ipsec esp/transport//require;

Now the first packet sent via the tunnel should establish an SA and the tunneled traffic should be encrypted by IPsec (in transport mode). But the packets are sent unencrypted, because the SPD entry does not match.

I first tried it on 7.1, but the related kernel code is the same in 8.1. The bug is caused by searching for the upper layer protocol number in the GIF packet (IPv6 packet encapsulated in another IPv6 packet) in functions ipsec6_get_ulp(), ip6_lasthdr(), and ip6_nexthdr(). Instead of stopping on the header of the encapsulated packet and returning IPPROTO_IPV6 (41), the search continues into the encapsulated packet and returns its payload protocol number.
>How-To-Repeat:
Configure a GIF tunnel with both inner and outer addresses being IPv6. Set an IPsec policy that secures the tunnel by matching the upper layer protocol 41 (IPv6). This policy will never match and the communication will not be secured by IPsec.
>Fix:
Apply the attached patch and rebuild the kernel.

Patch attached with submission follows:

--- /usr/src/sys/netinet6/ip6_input.c	2010-06-14 04:09:06.000000000 +0200
+++ /home/beran/tmp/i	2010-10-14 12:33:24.000000000 +0200
@@ -1601,8 +1601,12 @@ ip6_lasthdr(struct mbuf *m, int off, int
 			return newoff;
 
 		off = newoff;
 		proto = *nxtp;
+		/* IPv6-in-IPv6 encapsulation (GIF), the second IPv6 header is
+		 * a payload, do not continue to it. */
+		if (proto == IPPROTO_IPV6)
+			return off;
 	}
 }
 
 struct ip6aux *


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list