Bug 23400

Summary: IPsec transport mode precludes filtering on underlying transport header
Product: Base System Reporter: seraf <seraf>
Component: kernAssignee: freebsd-net (Nobody) <net>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description seraf 2000-12-09 03:00:01 UTC 
With KAME IPsec in transport mode, and packet filtering (ipfilter or
ipfw), on FreeBSD 4, packets seem to be processed like:
        INPUT -> filters -> ipsec -> rest of ip stack
        rest of ipstack -> ipsec -> filters -> OUTPUT   

In this sequence, the transport-layer protocol appears to the filters
as ESP(50) or AH(51).  As such, the filters perform no inspection of the
underlying transport's parameters -- such as TCP port or ICMP message
type -- because they are encrypted, and/or because they are 'hidden'
behind the AH header.

Though the OpenBSD and FreeS/WAN implementations of IPsec present the
same limitation to outside packet filters (ipfilter or ipchains), they
compensate with their own packet-filtering options, which apply to a
pre-IPsec'd (outbound) or de-IPsec'd (inbound) packet.  FreeBSD IPsec
provides no such packet filtering.

The only solution right now is to make each packet pass through two
interfaces, once in its IPsec'd state, and once not, and perform packet
filtering on both.  This is natural with pipsecd or IPsec tunnel mode,
but IPsec transport mode still has this fundamental security limitation.
Comment 1 Robert Watson freebsd_committer freebsd_triage 2002-06-18 20:20:26 UTC 
Responsible Changed
From-To: freebsd-bugs->rwatson

Take ownership of this since this problem has caught my attention. 
Some sites which to do post-IPsec processing of the recently tunnel- 
ejected packets.
Comment 2 Robert Watson freebsd_committer freebsd_triage 2003-11-07 06:06:41 UTC 
Responsible Changed
From-To: rwatson->guido

Guido and I had a long conversation about this at the FREENIX PC 
meeting early this year, and he merged some changes relating to the 
problem.  Assign the PR to him so he can decide if the fixes he 
committed solve this problem or not.
Comment 3 Bruce M Simpson freebsd_committer freebsd_triage 2004-06-22 17:48:10 UTC 
Responsible Changed
From-To: guido->net

Seems relevant to current work being done by andre@ and 
others in the area of layering/pfil_hooks
Comment 4 bzeeb-lists 2004-06-28 22:25:28 UTC 
> o [2000/12/09] kern/23400  net         IPsec transport mode precludes filtering

I think this one can be closed.

We can do filtering of IP encapsulated in IPSec since

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c#rev1.34
resp.
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c#rev1.51

with the ipsec flag.

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
Comment 5 Andre Oppermann freebsd_committer freebsd_triage 2004-06-28 23:07:07 UTC 
State Changed
From-To: open->closed

The functionality requested has been implemented in ip_fw2 and is 
available to 4-STABLE users as kernel compile time option.