kern/121384: New IPSEC fails to obey policy levels
Cyrus Rahman
crahman at gmail.com
Wed Mar 5 11:00:04 UTC 2008
>Number: 121384
>Category: kern
>Synopsis: New IPSEC fails to obey policy levels
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 05 11:00:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Cyrus Rahman
>Release: 7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #7: Wed Mar 5 00:48:02 MST 2008 cr at snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386
>Description:
IPSEC policies include a level: default, use, require, or unique. A level of 'use' should mean that the kernel will use an SA if available, otherwise it should pass the packet as it would normally. However, with the new IPSEC this level is ignored and packets are discarded if the SA is not available.
>How-To-Repeat:
Between two hosts with no security associations and which are not running anything to set up such associations, check for connectivity with ping:
>From hostA:
root# ping hostB
...echo replies
Install a policy like this on hostA:
spdadd -4 hostA hostB any -P out ipsec
esp/transport//use;
spdadd -4 hostB hostA any -P in ipsec
esp/transport//use;
Things should continue to work, however:
root# ping hostB
ping: sendto: Invalid argument
ping: sendto: Invalid argument
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list