kern/57760: IPsec policy on inbound trafic is not enforced(allows
spoofing)
Joachim Schueth
spam_vanishes_here at yahoo.de
Fri Apr 9 16:20:20 PDT 2004
The following reply was made to PR kern/57760; it has been noted by GNATS.
From: Joachim Schueth <spam_vanishes_here at yahoo.de>
To: freebsd-gnats-submit at FreeBSD.org, dl2kcd at darc.de
Cc:
Subject: Re: kern/57760: IPsec policy on inbound trafic is not enforced (allows
spoofing)
Date: Sat, 10 Apr 2004 01:09:47 +0200
Hi,
it is KAME IPsec on FreeBSD 4.8-RELEASE-p13:
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security
The IP related kernel config diffs relative to GENERIC are:
#options INET6 #IPv6 communications protocols
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
I tried your setkey script, loaded before starting the TCP connection,
but again see the following:
00:48:53.244725 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x1): 1043 > 22: S 3733473463:3733473463(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 1439648[|tcp]> (DF)
00:48:53.245627 192.168.64.70.22 > 192.168.64.50.1043: S 3686763453:3686763453(0) ack 3733473464 win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 117291739 1439648> (DF)
00:48:53.245717 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x2): 1043 > 22: . ack 1 win 57920 <nop,nop,timestamp 1439649 117291739> (DF)
00:48:53.256277 192.168.64.70.22 > 192.168.64.50.1043: P 1:40(39) ack 1 win 57920 <nop,nop,timestamp 117291740 1439649> (DF)
00:48:53.256549 192.168.64.50 > 192.168.64.70: AH(spi=0x00001234,seq=0x3): 1043 > 22: P 1:40(39) ack 40 win 57920 <nop,nop,timestamp 1439660 117291740> (DF)
00:48:53.271242 192.168.64.70.22 > 192.168.64.50.1043: P 40:576(536) ack 40 win 57920 <nop,nop,timestamp 117291742 1439660> (DF)
So .50 connects to .70 with AH, .70 replies without AH, but the connection
continues anyways. The security policies displayed with setkey -DP are:
On 192.168.64.50:
192.168.64.70[any] 192.168.64.50[any] any
in ipsec
ah/transport//require
spid=9 seq=1 pid=352
refcnt=1
192.168.64.50[any] 192.168.64.70[any] any
out ipsec
ah/transport//require
spid=10 seq=0 pid=352
refcnt=1
On 192.168.64.70:
No SPD entries.
Obviously, 192.168.64.50 ignores the policy in inbound traffic.
Joachim Schueth
More information about the freebsd-bugs
mailing list