IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules.
Andrey V. Elsukov
bu7cher at yandex.ru
Mon Aug 21 12:12:48 UTC 2017
On 17.08.2017 06:50, Dewayne Geraghty wrote:
> I was about to send to @freebsd-stable until I realised that there are
> security implications for folks that may be using this, thinking that
> their confidential material is protected, which may not be entirely correct.
Hi,
I think this was broken by me in r275710.
This SYN+ACK packet is sent by syncache code directly when PCB is not
yet created. And due to missing inpcb pointer this packet is considered
as "forwarded" and thus TCP ports are not filled properly for SP lookup.
We can fix this in two ways:
1. Always fill ports. This will add a small extra overhead, but will
solve restriction described in the setkey(8):
NOTE: upperspec does not work in the forwarding case at this
moment, as it requires extra reassembly at forwarding node, which
is not implemented at this moment.
2. Resurrect the flags argument and always fill ports when not forwarding.
What is the best solution?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170821/847f493b/attachment.sig>
More information about the freebsd-security
mailing list