Bug 94273

Summary: [ipsec] [patch] IPIP decapsulation problem in FAST_IPSEC stack
Product: Base System Reporter: VANHULLEBUS Yvan <vanhu>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 6.0-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description VANHULLEBUS Yvan 2006-03-09 14:40:13 UTC 
FAST_IPSEC doesn't correctly remove the IPIP header for Tunneled packets.

It works (guess by accident), because the IPIP header is removed when
the packet is reinjected in ip_input.c, but that implies an extra call
to ip_input.

There is some code to remove the IPIP header in ipsec_input.c, but it
doesn't correctly work.

How-To-Repeat: Set up a tunnel mode IPSec conf, and looks what happens in ip_input....
Comment 1 George V. Neville-Neil freebsd_committer freebsd_triage 2006-03-10 11:35:15 UTC 
Responsible Changed
From-To: freebsd-bugs->gnn@freebsd.org

Taken for testing and repair.
Comment 2 Dmitry Andrianov 2006-09-27 15:55:27 UTC 
It is more than half an year since the patch was submitted and it is not
committed to CVS yet. Just wonder whether it will be included with 6.2
release?

Regards,
Dmitry Andrianov

PS: there is also a ipsec6_common_input_cb function. Shouldn't it be
patched the same way?
Comment 3 VANHULLEBUS Yvan 2006-09-27 16:05:04 UTC 
On Wed, Sep 27, 2006 at 06:55:27PM +0400, Dmitry Andrianov wrote:
> It is more than half an year since the patch was submitted and it is not
> committed to CVS yet. Just wonder whether it will be included with 6.2
> release?

To be more exact, it looks like the patch has been reported to
RELENG_6 branch, but is disabled.



> Regards,
> Dmitry Andrianov
> 
> PS: there is also a ipsec6_common_input_cb function. Shouldn't it be
> patched the same way?

Probably, but as I didn't have an IPv6 build, I couldn't make tests.



Yvan.

-- 
NETASQ
http://www.netasq.com
Comment 4 Bjoern A. Zeeb freebsd_committer freebsd_triage 2007-12-31 12:26:29 UTC 
I had been looking at that code while looking at enc(4). I am not yet
sure if not going via ip_input again with the ipip header would break
IPIP over ipsec tunnel modes. I have to investigate that.

This is related to the ipencap rules needed with pf(4) because of the
extra roundtrip via ip_input.

OpenBSD has code for that but it looks strange reading it. We need to
be sure to not break anything.


PS: gnn if you want you can assign this to me.

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.
Comment 5 George V. Neville-Neil freebsd_committer freebsd_triage 2010-06-15 18:17:30 UTC 
Responsible Changed
From-To: gnn->bz

Re-assign. This might already be fixed.
Comment 6 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-04-04 10:36:44 UTC 
Responsible Changed
From-To: bz->ae

I'm working on this now.
Comment 7 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-10-07 10:43:46 UTC 
Fixed in head/.