Date: Tue, 22 Mar 2011 00:11:29 -0500 From: "David DeSimone" <fox@verio.net> To: <freebsd-net@freebsd.org> Subject: Re: tcp/ip stack sending icmp "ttl exceeded in traffic" back through gre \w ipsec-esp encryption tunnels. Message-ID: <20110322051128.GM9636@verio.net> In-Reply-To: <cabf825bc3c602d1a1b638fa9aae35da@localhost> References: <cabf825bc3c602d1a1b638fa9aae35da@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrei Manescu - Ivorde <andrei.manescu@ivorde.ro> wrote: > > Problem: RouterA and RouterB in the following > diagram are FreeBSD 6.4-STABLE and 7.4-STABLE running a gre tunnel and > ipsec transport mode encryption on top of it. > > None of them send an icmp > error "TTL Exceeded in traffic" when the TTL of the packet reaches 0 after > they decrement it. Code: > > hostA----RouterA--GRE-inside-IPSEC/ESP/transport---RouterB---hostB > > Packets > sent from hostA to hostB with a TTL2 that should have an ICMP "TTL > exceeded in traffic" returned by RouterB have no effect. Isn't this by design? An ICMP reply might be sent to an unrelated router hop, meaning there is no security association for it. Since that ICMP reply will contain the the header of the expired packet, sending that reply will take a packet that was encrypted, and send part of it back, unencrypted. This could potentially provide an attacker with some known plaintext with which to attack your VPN's encryption keys. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110322051128.GM9636>