Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Dec 2000 18:56:23 -0800 (PST)
From:      seraf@2600.com
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/23400: IPsec transport mode precludes filtering on underlying transport header
Message-ID:  <200012090256.eB92uNg57643@freefall.freebsd.org>
Resent-Message-ID: <200012090300.eB9301n57971@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         23400
>Category:       kern
>Synopsis:       IPsec transport mode precludes filtering on underlying transport header
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 08 19:00:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Dominick LaTrappe
>Release:        RELENG_4
>Organization:
>Environment:
>Description:
With KAME IPsec in transport mode, and packet filtering (ipfilter or
ipfw), on FreeBSD 4, packets seem to be processed like:
        INPUT -> filters -> ipsec -> rest of ip stack
        rest of ipstack -> ipsec -> filters -> OUTPUT   

In this sequence, the transport-layer protocol appears to the filters
as ESP(50) or AH(51).  As such, the filters perform no inspection of the
underlying transport's parameters -- such as TCP port or ICMP message
type -- because they are encrypted, and/or because they are 'hidden'
behind the AH header.

Though the OpenBSD and FreeS/WAN implementations of IPsec present the
same limitation to outside packet filters (ipfilter or ipchains), they
compensate with their own packet-filtering options, which apply to a
pre-IPsec'd (outbound) or de-IPsec'd (inbound) packet.  FreeBSD IPsec
provides no such packet filtering.

The only solution right now is to make each packet pass through two
interfaces, once in its IPsec'd state, and once not, and perform packet
filtering on both.  This is natural with pipsecd or IPsec tunnel mode,
but IPsec transport mode still has this fundamental security limitation.

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012090256.eB92uNg57643>