From d1b402ad6f5b19a7abe349807ec2b7350b5f697e Mon Sep 17 00:00:00 2001 From: Hajimu UMEMOTO Date: Wed, 27 Jun 2001 19:41:20 +0000 Subject: [PATCH] clarify problem with inbound AH. spdadd A B -P in ipsec esp/tunnel/C-D/use ah/tunnel/C-D/require; does not work due to 1-bit validation bit we are using with inbound policy checking. Submitted by: itojun Obtained from: KAME MFC after: 1 week --- share/man/man4/ipsec.4 | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index d9502e6735b0..ab09129aa90c 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,5 +1,5 @@ .\" $FreeBSD$ -.\" $KAME: ipsec.4,v 1.15 2001/04/05 01:00:45 itojun Exp $ +.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. .\" All rights reserved. @@ -61,7 +61,7 @@ and protects it from intermediate alteration or impersonation, by attaching cryptographic checksum computed by one-way hash functions. .Nm has two operation modes: transport mode and tunnel mode. -Transport mode is for protecting peer-to-peer commuication between end nodes. +Transport mode is for protecting peer-to-peer communication between end nodes. Tunnel mode includes IP-in-IP encapsulation operation and is designed for security gateways, like VPN configurations. .\" @@ -294,15 +294,26 @@ The IPsec support is subject to change as the IPsec protocols develop. There is no single standard for policy engine API, so the policy engine API described herein is just for KAME implementation. .Pp -AH tunnel may not work as you might expect. -If you configure +AH and tunnel mode encapsulation may not work as you might expect. +If you configure inbound .Dq require -policy against AH tunnel for inbound, tunnelled packets will be rejected. -This is because AH authenticates encapsulating +policy against AH tunnel or any IPsec encapsulating policy with AH +.Po +like +.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require +.Pc , +tunnelled packets will be rejected. +This is because we enforce policy check on inner packet on reception, +and AH authenticates encapsulating .Pq outer packet, not the encapsulated .Pq inner -packet. +packet +.Po +so for the receiving kernel there's no sign of authenticity +.Pc . +The issue will be solved when we revamp our policy engine to keep all the +packet decapsulation history. .Pp Under certain condition, truncated result may be raised from the kernel