kern/123793: [ipsec] [patch] KAME IPSEC does not pass processed packets to pfil hooks

Eugene Grosbein eugen at grosbein.pp.ru
Sun May 18 13:40:02 UTC 2008 

>Number:         123793
>Category:       kern
>Synopsis:       [ipsec] [patch] KAME IPSEC does not pass processed packets to pfil hooks
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 13:40:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.3-STABLE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: RELENG_6

>Description:
	(This issue applies to RELENG_6 only, as newer versions
	do not contain KAME IPSEC implementation anymore.)

	When AH, ESP or IPCOMP protocols finish packets processing,
	they pass them directly to pr_input() for appropriate
	encapsulated protocol. Thus, it is not possible to filter
	incoming packets processed with this IPSEC implementation
	after they has been decrypted.

	Let's consider simple schema:

L-R+G-Internet

	Here R is a router (FreeBSD 6.3), L is a host in its LAN
	using private IP-addresses (RFC 1918).
	Plus sign designates provider's radio-ethernet segment built with
	L2 radio-bridges, G is provider's gateway to the Internet.
	R and G use public IP-addresses within radio-ethernet,
	so R does NAT for L.

	There is also another host H in the same radio-ethernet segment,
	in the same IP-network as R and G, it has public IP-address.
	We need to protect traffic between R and H so run IPSEC on R and H.
	It works nice for traffic running between R and G.

	Now let's see what happens when L connects to H.
	Outgoing packet from L goes through NAT on R,
	translated packet then goes through IPSEC and finally reaches H.
	Now H sends its encrypted reply that reaches R that decrypts it.
	But IPSEC does not pass decrypted packed downto ip_input(),
	it passes it to pr_input() directly so H's reply gets delivered
	locally instead of being NAT'ed and forwarded.
	Finally, it is dropped.

	Kernel option IPSEC_FILTERGIF should help in this case
	but it does not.

	Newer FAST_IPSEC implementation does not have this problem,
	it passes decrypted answer to ip_input() via netisr,
	so it reaches pfil hooks and may be processed with NAT
	and then routed successfully.

	However, switching to FAST_IPSEC is not an option when
	we require working IPCOMP support. See this PR for details:
	http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/123587

	So, the solution is to make kernel option IPSEC_FILTERGIF
	to cover this case and pass decrypted incoming packet
	again to ip_input() via netisr just like FAST_IPSEC does,
	thus bringing old implementation's behavour more in line
	with new one.

>How-To-Repeat:
	See description
>Fix:

	The patch is pretty small and simple:

	ftp://www.kuzbass.ru/pub/freebsd/patches/ipsec-filter.diff.gz
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list