IPsec AH tunneling pakcet mis-handling?
blue
susan.lan at zyxel.com.tw
Wed Aug 1 08:31:30 UTC 2007
Dear all:
I do not know the purpose of the following codes in the very beginning
in ip6_input():
#ifdef IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
*/
if (m) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
}
#endif
Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is
the end point of the tunnel. After it tore off the outer IPv6 header,
the mbuf will be inserted to NETISR again. Then ip6_forward() will be
called again to process the packet. However, in ipsec6_in_reject(), the
packet's source and destination will match the SP entry. Since
ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the
packet will be dropped.
I don't think with the codes AH tunnel could work properly.
Best regards,
Yi-Wen
More information about the freebsd-net
mailing list