IPsec AH tunneling pakcet mis-handling?
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Mar 24 05:45:07 PDT 2008
On Wed, 1 Aug 2007, blue wrote:
Hi,
> Dear all:
>
> I do not know the purpose of the following codes in the very beginning in
> ip6_input():
>
> #ifdef IPSEC
> /*
> * should the inner packet be considered authentic?
> * see comment in ah4_input().
> */
> if (m) {
> m->m_flags &= ~M_AUTHIPHDR;
> m->m_flags &= ~M_AUTHIPDGM;
> }
> #endif
>
> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the
> end point of the tunnel. After it tore off the outer IPv6 header, the mbuf
> will be inserted to NETISR again. Then ip6_forward() will be called again to
> process the packet. However, in ipsec6_in_reject(), the packet's source and
> destination will match the SP entry. Since ip6_input() has truned off the
> flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped.
>
> I don't think with the codes AH tunnel could work properly.
I was pointed at this.
I am a bit unsure about your setup as you are talking about "AH
tunneled" and "encrypted" while at the end it's "AH tunnel" only.
So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...?
Can you describe the setup this would be a problem in detail and maybe
file a PR so this won't be lost again.
We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I
could look into both at the same time I guess.
PS: I am assuming this was with (Fast) IPsec, not KAME IPsec
implementation? The date was too close to the change, so I thought it
might be better asking;-)
Thanks
/bz
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
More information about the freebsd-net
mailing list