Re: carp + client avahi-daemon = OpenBSD kernel hang

Mon, 04 Oct 2010 06:55:31 -0700 

On 2010-10-03, Devin Reade <g...@gno.org> wrote:
<snip *excellent* write-up of the problem and network layout;
if only all problem reports were this good!>
So basically there are untrusted machines on the interface on which you
also run pfsync. This is an unsupported configuration, as per pfsync(4):

     It is important that the pfsync traffic be well secured as there is no
     authentication on the protocol and it would be trivial to spoof packets
     which create states, bypassing the pf ruleset.  Either run the pfsync
     protocol on a trusted network - ideally a network dedicated to pfsync
     messages such as a crossover cable between two firewalls, or specify a
     peer address and protect the traffic with ipsec(4).

(though I do think this warning could be strengthened).

There might be a way that this particular problem with multicast traffic
from avahi could be avoided (full pcap traces of the relevant traffic e.g.
"tcpdump -i interface -s 1500 -w somefile.pcap" would help work this out)
but it's still unsafe. Until you can move to a dedicated nic, I would
suggest switching to using syncpeer in pfsync config, and ipsec with
manual keying to protect the traffic e.g.

isakmpd_flags="-Ka"
ipsec=YES

and in ipsec.conf on one side,

flow esp proto pfsync from 1.1.1.1 to 2.2.2.2
esp from 1.1.1.1 to 2.2.2.2 spi 0x12345678:0x9abcdef0 \
        authkey 
0x1111111111111111111111111111111111111111111111111111111111111111:0x2222222222222222222222222222222222222222222222222222222222222222
 \
        enckey 
0x33333333333333333333333333333333:0x44444444444444444444444444444444

and the other,

flow esp proto pfsync from 2.2.2.2 to 1.1.1.1
esp from 2.2.2.2 to 1.1.1.1 spi 0x9abcdef0:0x12345678 \
        authkey 
0x2222222222222222222222222222222222222222222222222222222222222222:0x1111111111111111111111111111111111111111111111111111111111111111
 \
        enckey 
0x44444444444444444444444444444444:0x33333333333333333333333333333333

(using your own random hex numbers in place of these).

You will probably want to pass the ipsec traffic (proto esp) with
the "no-sync" option in pf.conf.

(I would not choose to use automatic ipsec keying for this).

Reply via email to