kern/122562: IPsec AH tunneled packet mis handling?

[susan.lan at zyxel.com.tw]

>Number:         122562
>Category:       kern
>Synopsis:       IPsec AH tunneled packet mis handling?
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: 
	2 FreeBSD7.0-Release i386 PCs
>Description:
	In the very beginning of ip6_input():

#ifdef IPSEC
  /*
   * should the inner packet be considered authentic?
   * see comment in ah4_input().
   */
  if (m) {
      m->m_flags &= ~M_AUTHIPHDR;
      m->m_flags &= ~M_AUTHIPDGM;
  }
#endif

Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the end point of the tunnel. After it tore off the outer IPv6 header, the mbuf will be inserted to NETISR again. Then ip6_forward() will be called again to process the packet. However, in ipsec6_in_reject(), the packet's source and destination will match the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped.

I don't think with the codes AH tunnel could work properly. 

>How-To-Repeat:
	Set IPsec rules as AH tunnel for the 2 PCs; send ICMP echo request from
one end of the tunnel to the other end. However, the echo reply will never be returned since the packet is not successfully sent out. 

>Fix:

	I think the flag should be kept!

>Release-Note:
>Audit-Trail:
>Unformatted: