Sorry, maybe my words make you confused.
What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which
is currently IPSEC in FreeBSD-7.0.
BR,
Yi-Wen
Bjoern A. Zeeb wrote:
On Wed, 1 Aug 2007, blue wrote:
Hi,
Dear all:
I do not know the purpose of the following codes in the very
beginning in ip6_input():
#ifdef IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
*/
if (m) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
}
#endif
Consider the case: a packet is encrypted as AH tunneled, and FreeBSD
is the end point of the tunnel. After it tore off the outer IPv6
header, the mbuf will be inserted to NETISR again. Then ip6_forward()
will be called again to process the packet. However, in
ipsec6_in_reject(), the packet's source and destination will match
the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR
and M_AUTHIPDGM, the packet will be dropped.
I don't think with the codes AH tunnel could work properly.
I was pointed at this.
I am a bit unsure about your setup as you are talking about "AH
tunneled" and "encrypted" while at the end it's "AH tunnel" only.
So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...?
Can you describe the setup this would be a problem in detail and maybe
file a PR so this won't be lost again.
We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I
could look into both at the same time I guess.
PS: I am assuming this was with (Fast) IPsec, not KAME IPsec
implementation? The date was too close to the change, so I thought it
might be better asking;-)
Thanks
/bz
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
