Hi Neale/all,

I've noticed an inconsistency between the default behaviour for non-matching 
packets in the ipsec-input and ipsec-output nodes. I'm not sure if this 
intended or not.

The summary is:
- For ipsec-output, any non-matching packets are dropped by default with the 
same mechanism as per a matching DISCARD rule
- For ipsec-input, any non-matching packets are passed to the next node as if 
they matched a BYPASS rule

Below are some packet traces that show this behaviour. The setup is 2x 
interfaces configured as ip neighbors, with an SPD bound to each. Traffic 
entering an interface is routed through the other interface and vice-versa (see 
attached ipsec-default-drop.txt for full script).

When SPD contains only matching INBOUND BYPASS rules:
00:00:07:340457: dpdk-input
00:00:07:340523: ethernet-input
00:00:07:340566: ip4-input-no-checksum
00:00:07:340601: ipsec4-input-feature
IPSEC_ESP: sa_id 0 spd 2 policy 1 spi 1000 (0x000003e8) seq 3 <----- MATCHED 
INBOUND RULE (policy 1)
00:00:07:340642: ip4-lookup
00:00:07:340667: ip4-rewrite
00:00:07:340680: ipsec4-output-feature
spd 1 policy -1 <----- DID NOT MATCH ANY RULES (policy -1)
00:00:07:340693: error-drop <----- PACKET DROPPED
00:00:07:340707: drop

When SPD contains only matching OUTBOUND BYPASS rules:
00:00:11:759484: dpdk-input
00:00:11:759570: ethernet-input
00:00:11:759624: ip4-input-no-checksum
00:00:11:759654: ipsec4-input-feature
UDP: sa_id 4294967295 spd 2 policy -1 spi 612811835 (0x2486c43b) seq 748568697 
<---- DID NOT MATCH (policy -1)
00:00:11:759689: ip4-lookup <----- PACKET *NOT* DROPPED, PASSED ON AS NORMAL
00:00:11:759721: ip4-rewrite
00:00:11:759733: ipsec4-output-feature
spd 1 policy 1 <---- MATCHED OUTBOUND RULE
00:00:11:759774: TenGigabitEthernet7/0/0-output
00:00:11:759801: TenGigabitEthernet7/0/0-tx

Looking at the code in ipsec_output.c, we can see that for non-matching 
packets, we call next_node_index = im->error_drop_node_index to drop the 
packet. In ipsec_input.c, we only increment the counter ipsec_unprocessed += 1 
and we move to the next packet as per a matching BYPASS rule. From what I can 
tell, this is the same for both ipv4/ipv6 traffic.

Looking at the IPSec RFC4301 [1], it seems to suggest that the default action 
for both non-matching inbound/output packets should be DISCARD.
e.g.
“Since the SPD-I is just a part of the SPD, if a packet that is looked up in 
the SPD-I cannot be matched to an entry there, then the packet MUST
be discarded” [2]

" ...  the SPD (or associated caches) MUST be consulted during the processing 
of all traffic that crosses the IPsec protection boundary, including IPsec 
management traffic.  If no policy is found in the SPD that matches a packet 
(for either inbound or outbound traffic), the packet MUST be discarded." [3]

"Every SPD SHOULD have a nominal, final entry that catches anything that is 
otherwise unmatched, and discards it.  This ensures that non-IPsec-protected 
traffic that arrives and does not match any SPD-I entry will be discarded." [4]

In the section 5.2.  Processing Inbound IP Traffic (unprotected-to-protected) 
[4], there is also a diagram that seems to support this.

Is there a reason that the input side is setup like this? Unless there is a 
good reason for allowing inbound traffic by default, I would propose to patch 
the ipsec-input node to align with ipsec-output and drop traffic by default.

Best,

Zach

[1]: https://datatracker.ietf.org/doc/html/rfc4301
[2]: https://datatracker.ietf.org/doc/html/rfc4301#section-4.4.1
[3]: https://datatracker.ietf.org/doc/html/rfc4301#section-5
[4]: https://datatracker.ietf.org/doc/html/rfc4301#section-5.2
set int ip address TenGigabitEthernet7/0/0 10.10.10.1/24
set int ip address TenGigabitEthernet7/0/1 20.20.20.1/24

set int state TenGigabitEthernet7/0/0 up
set int state TenGigabitEthernet7/0/1 up

set interface promiscuous on TenGigabitEthernet7/0/0
set interface promiscuous on TenGigabitEthernet7/0/1

set ip neighbor TenGigabitEthernet7/0/0 10.10.10.10 00:00:0A:81:11:22 static 
count 1
set ip neighbor TenGigabitEthernet7/0/1 20.20.20.20 00:00:0A:81:11:11 static 
count 1

ipsec spd add 1
set interface ipsec spd TenGigabitEthernet7/0/0 1

ipsec spd add 2
set interface ipsec spd TenGigabitEthernet7/0/1 2

// input rules only - delete this or below
ipsec policy add spd 1 priority 1 inbound action bypass remote-ip-range 
10.10.10.0 - 10.10.10.255 local-ip-range 20.20.20.0 - 20.20.20.255
ipsec policy add spd 2 priority 1 inbound action bypass remote-ip-range 
20.20.20.0 - 20.20.20.255 local-ip-range 10.10.10.0 - 10.10.10.255
// end

// output rules only - delete this or above
ipsec policy add spd 2 priority 1 outbound action bypass outbound 
local-ip-range 10.10.10.0 - 10.10.10.255 remote-ip-range 20.20.20.0 - 
20.20.20.255
ipsec policy add spd 1 priority 1 outbound action bypass outbound 
local-ip-range 20.20.20.0 - 20.20.20.255 remote-ip-range 10.10.10.0 - 
10.10.10.255
// end
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19975): https://lists.fd.io/g/vpp-dev/message/19975
Mute This Topic: https://lists.fd.io/mt/84943480/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to