kern/127785: IPSEC with IPv6 fails to pass traffic through enc0 interface

Wed Oct 1 19:40:04 UTC 2008

>Number:         127785
>Category:       kern
>Synopsis:       IPSEC with IPv6 fails to pass traffic through enc0 interface
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 01 19:40:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Cyrus Rahman
>Release:        FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD silva.signetica.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Thu Sep 25 23:49:02 MDT 2008     cr at silva.signetica.com:/usr/src/sys/amd64/compile/SIGNETICA  amd64

>Description:
The enc0 interface is supposed to inherit all IPSEC traffic, allowing packet filters to perform their work with knowledge of the packet's contents.

This works as expected in IPv4.

In IPv6, no IPSEC traffic is passed to enc0.  As a result, firewall rules are bypassed silently.
>How-To-Repeat:
Set up an IPv6 security association between two hosts and observe that all formerly firewall-blocked traffic can now pass freely.
>Fix:
The new IPSEC simply doesn't contain code to do this for IPv6.

Until such code is written it would be prudent to include a warning in the enc(4) manual page mentioning that IPv6 IPSEC traffic will not be visible to the enc interface, and that therefore firewall rules will not be applied to such traffic.

>Release-Note:
>Audit-Trail:
>Unformatted: