kern/161058: enc0 not capturing outgoing IPSEC encrypted transport IPv6 traffic from host

Matthew Grant matthew.grant at net24.co.nz
Tue Sep 27 04:00:18 UTC 2011 

>Number:         161058
>Category:       kern
>Synopsis:       enc0 not capturing outgoing IPSEC encrypted transport IPv6 traffic from host
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 27 04:00:16 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Matthew Grant
>Release:        8.2-p2
>Organization:
Net24 Ltd
>Environment:
FreeBSD dns-slave0.devel.net.nz 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 #3: Mon Sep 26 09:23:45 NZDT 2011     root at dns-slave0.devel.net.nz:/usr/obj/usr/src/sys/IPSEC  amd64

>Description:
Outgoing IPv6 host traffic that is to be encrypted is not being captured by the enc0 device.  IPFW only sees it as esp.  tcpdump cannot see it either.  This is after trying all combinations of the sysctl flags.

/etc/sysctl.conf:

# Set up IPSEC filtering
net.enc.out.ipsec_bpf_mask=0x00000003
net.enc.out.ipsec_filter_mask=0x00000003
net.enc.in.ipsec_bpf_mask=0x00000001
net.enc.in.ipsec_filter_mask=0x00000001
net.inet.ipsec.ecn=1
net.inet.ipsec.filtertunnel=0
net.inet.ip.fw.one_pass=0

This has been tried with IPv6 directly on em0, and over an IPv6 sit6 gif tunnel.

It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking.  This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties.

>How-To-Repeat:
It would be good to get this fixed, as we would like to deploy FreeBSD servers with IPSEC IPv6 encrypted networking.  This is critical for securing the contents of the SPD, as it can supply state-full-ness when combined with IPSEC matching ipfw or pf properties.

ifconfig enc0 up. Make sure net.enc.out/in are set to default or as:

net.enc.out.ipsec_bpf_mask=0x00000003
net.enc.out.ipsec_filter_mask=0x00000003
net.enc.in.ipsec_bpf_mask=0x00000001
net.enc.in.ipsec_filter_mask=0x00000001

Incoming IPv6 traffic will be observed, and none of the outgoing traffic from the host.  In the Ipv4 equivalent, outgoing traffic will be observed and in ipfw will show up as coming from the enc0 device.  Incoming IPv6 traffic will be matched in ipfw on rules with the 'ipsec' property set.

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list