>Number: 151449
>Category: kern
>Synopsis: [patch] IPsec SPD rule does not match GIF with IPv6 addresses
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 14 10:40:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Martin Beran
>Release: 7.1-RELEASE-p13
>Organization:
Trusted Network Solutions, a. s.
>Environment:
FreeBSD builder764.pha.tns.cz 7.1-RELEASE-p13 FreeBSD 7.1-RELEASE-p13 #18: Thu
Oct 14 10:08:50 CEST 2010
r...@builder764.pha.tns.cz:/usr/obj/usr/src/sys/KERNUN.amd64 amd64
>Description:
I want to secure a GIF tunnel by IPsec. I have a GIF interface with an inet6
address and also inet6 tunnel addresses. I configure Racoon add the following
rules to SPD by setkey:
spdadd 2001:470:1f0b:102::1/128 2001:470:1f0b:102:20c:29ff:feed:ce83/128 41 -P
in ipsec esp/transport//require;
spdadd 2001:470:1f0b:102:20c:29ff:feed:ce83/128 2001:470:1f0b:102::1/128 41 -P
out ipsec esp/transport//require;
Now the first packet sent via the tunnel should establish an SA and the
tunneled traffic should be encrypted by IPsec (in transport mode). But the
packets are sent unencrypted, because the SPD entry does not match.
I first tried it on 7.1, but the related kernel code is the same in 8.1. The
bug is caused by searching for the upper layer protocol number in the GIF
packet (IPv6 packet encapsulated in another IPv6 packet) in functions
ipsec6_get_ulp(), ip6_lasthdr(), and ip6_nexthdr(). Instead of stopping on the
header of the encapsulated packet and returning IPPROTO_IPV6 (41), the search
continues into the encapsulated packet and returns its payload protocol number.
>How-To-Repeat:
Configure a GIF tunnel with both inner and outer addresses being IPv6. Set an
IPsec policy that secures the tunnel by matching the upper layer protocol 41
(IPv6). This policy will never match and the communication will not be secured
by IPsec.
>Fix:
Apply the attached patch and rebuild the kernel.
Patch attached with submission follows:
--- /usr/src/sys/netinet6/ip6_input.c 2010-06-14 04:09:06.000000000 +0200
+++ /home/beran/tmp/i 2010-10-14 12:33:24.000000000 +0200
@@ -1601,8 +1601,12 @@ ip6_lasthdr(struct mbuf *m, int off, int
return newoff;
off = newoff;
proto = *nxtp;
+ /* IPv6-in-IPv6 encapsulation (GIF), the second IPv6 header is
+ * a payload, do not continue to it. */
+ if (proto == IPPROTO_IPV6)
+ return off;
}
}
struct ip6aux *
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
