Date: Tue, 18 Feb 2014 13:26:34 -0500 From: "David DeSimone" <ddesimone@verio.net> To: "Michael Glasgow" <glasgow@beer.net> Cc: freebsd-net@freebsd.org Subject: RE: ipsec foils traceroute on gre/gif Message-ID: <CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD4D1B@IAD-WPRD-XCHB01.corp.verio.net> In-Reply-To: <201402180613.s1I6DdhS020353@dark.beer.net> References: <201402180613.s1I6DdhS020353@dark.beer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My understanding of this issue is that replying with an ICMP message for = traceroute carries the risk of violating security policy. When an ICMP Unreachable packet is generated, the first 64 octets in the = packet are copied into the reply. If the packet was originally = encrypted with IPSEC, those octets were never seen unencrypted on the = wire. If the ICMP Unreachable were permitted to be generated and sent, = it could very well reveal the unencrypted IPSEC packet contents on the = wire, because the source/destination IP's of the ICMP message no longer = matches SPD's. Thus the conservative decision in the kernel is to drop the TTL-exceeded = packet coming from IPSEC, with no reply. In other words, "working as intended." -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Michael Glasgow Sent: Tuesday, February 18, 2014 12:14 AM To: freebsd-net@freebsd.org Subject: ipsec foils traceroute on gre/gif I noticed traceroute misses a hop when crossing an encrypted gif or gre tunnel, e.g.: $ sudo traceroute -I 172.29.0.5 traceroute to 172.29.0.5 (172.29.0.5), 30 hops max, 60 byte packets 1 169.254.249.21 (169.254.249.21) 0.524 ms 0.728 ms 0.726 ms 2 169.254.249.25 (169.254.249.25) 1.143 ms 1.160 ms 1.156 ms 3 * * * 4 172.29.0.5 (172.29.0.5) 241.931 ms 247.545 ms 252.398 ms Firewalls are all completely disabled in the above example. It appears the TTL-exceeded ICMP isn't properly generated. Poking through the archives, I found this old thread with a lot of info: http://lists.freebsd.org/pipermail/freebsd-net/2008-November/019928.html But alas, the final word on whether the recommended fix had any untoward security ramifications was not forthcoming. Anyone have an interest in resurrecting this? --=20 Michael Glasgow <glasgow@beer.net> _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio Inc. makes no warranty that this email is error or = virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAABACD8BCAE7B4B8A7906EEDC9DEBC501FD4D1B>