d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

clarify problem with inbound AH.

Browse Source 
spdadd A B -P in ipsec esp/tunnel/C-D/use ah/tunnel/C-D/require;
does not work due to 1-bit validation bit we are using with inbound
policy checking.

Submitted by:	itojun
Obtained from:	KAME
MFC after:	1 week
This commit is contained in:
Hajimu UMEMOTO 2001-06-27 19:41:20 +00:00
parent 1026ccc41c
commit d1b402ad6f
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
share/man/man4/ipsec.4
View File

@ -1,5 +1,5 @@
.\" $FreeBSD$
.\" $KAME: ipsec.4,v 1.15 2001/04/05 01:00:45 itojun Exp $
.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
@ -61,7 +61,7 @@ and protects it from intermediate alteration or impersonation,
by attaching cryptographic checksum computed by one-way hash functions.
.Nm
has two operation modes: transport mode and tunnel mode.
Transport mode is for protecting peer-to-peer commuication between end nodes.
Transport mode is for protecting peer-to-peer communication between end nodes.
Tunnel mode includes IP-in-IP encapsulation operation
and is designed for security gateways, like VPN configurations.
.\"
@ -294,15 +294,26 @@ The IPsec support is subject to change as the IPsec protocols develop.
There is no single standard for policy engine API,
so the policy engine API described herein is just for KAME implementation.
.Pp
AH tunnel may not work as you might expect.
If you configure
AH and tunnel mode encapsulation may not work as you might expect.
If you configure inbound
.Dq require
policy against AH tunnel for inbound, tunnelled packets will be rejected.
This is because AH authenticates encapsulating
policy against AH tunnel or any IPsec encapsulating policy with AH
.Po
like
.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require
.Pc ,
tunnelled packets will be rejected.
This is because we enforce policy check on inner packet on reception,
and AH authenticates encapsulating
.Pq outer
packet, not the encapsulated
.Pq inner
packet.
packet
.Po
so for the receiving kernel there's no sign of authenticity
.Pc .
The issue will be solved when we revamp our policy engine to keep all the
packet decapsulation history.
.Pp
Under certain condition,
truncated result may be raised from the kernel