ipsec foils traceroute on gre/gif

David DeSimone ddesimone at verio.net
Tue Feb 18 18:53:52 UTC 2014 

My understanding of this issue is that replying with an ICMP message for traceroute carries the risk of violating security policy.

When an ICMP Unreachable packet is generated, the first 64 octets in the packet are copied into the reply.  If the packet was originally encrypted with IPSEC, those octets  were never seen unencrypted on the wire.  If the ICMP Unreachable were permitted to be generated and sent, it could very well reveal the unencrypted IPSEC packet contents on the wire, because the source/destination IP's of the ICMP message no longer matches SPD's.

Thus the conservative decision in the kernel is to drop the TTL-exceeded packet coming from IPSEC, with no reply.

In other words, "working as intended."


-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org] On Behalf Of Michael Glasgow
Sent: Tuesday, February 18, 2014 12:14 AM
To: freebsd-net at freebsd.org
Subject: ipsec foils traceroute on gre/gif

I noticed traceroute misses a hop when crossing an encrypted gif
or gre tunnel, e.g.:

$ sudo traceroute -I 172.29.0.5
traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets
 1  169.254.249.21 (169.254.249.21)  0.524 ms  0.728 ms  0.726 ms
 2  169.254.249.25 (169.254.249.25)  1.143 ms  1.160 ms  1.156 ms
 3  * * *
 4  172.29.0.5 (172.29.0.5)  241.931 ms  247.545 ms  252.398 ms

Firewalls are all completely disabled in the above example.  It
appears the TTL-exceeded ICMP isn't properly generated.  Poking
through the archives, I found this old thread with a lot of info:

http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html

But alas, the final word on whether the recommended fix had any
untoward security ramifications was not forthcoming.  Anyone have
an interest in resurrecting this?

-- 
Michael Glasgow <glasgow at beer.net>
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-net mailing list