Bug 216681 - IPsec traceroute6 -I does not work
Summary: IPsec traceroute6 -I does not work
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.0-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-net mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-01-31 20:10 UTC by Jason Mader
Modified: 2017-02-02 00:04 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Mader 2017-01-31 20:10:18 UTC
It appears the IPsec policy,

spdadd -n 2620:10e:6024:a0::b1 2620:10e:6026:d0::/64 icmp6 -P out ipsec ah/transport//use;

doesn't set the AH with traceroute6 -I. ping6 to the same host does. e.g.

traceroute6 -I

14:55:30.524981 IP6 2620:10e:6024:a0::b1 > 2620:10e:6026:d0::5e40: ICMP6, echo request, seq 5, length 16

ping6

15:03:40.086329 IP6 2620:10e:6024:a0::b1 > 2620:10e:6026:d0::5e40: AH(spi=0xa05e4001,seq=0x211): ICMP6, echo request, seq 0, length 16
Comment 1 Andrey V. Elsukov freebsd_committer 2017-02-01 21:25:03 UTC
This looks like traceroute6(8) installs IPSEC BYPASS security policy for the used socket. This is why your policy did not applied.
Comment 2 Jason Mader 2017-02-01 23:19:52 UTC
(In reply to Andrey V. Elsukov from comment #1)

Just for reference, Linux with a similar icmp6 out transport policy does add the AH. And FreeBSD does handle the echo response with AH.
Comment 3 Andrey V. Elsukov freebsd_committer 2017-02-01 23:41:10 UTC
(In reply to Jason Mader from comment #2)
> (In reply to Andrey V. Elsukov from comment #1)
> 
> Just for reference, Linux with a similar icmp6 out transport policy does add
> the AH. And FreeBSD does handle the echo response with AH.

This is not linux or freebsd kernel specificity, this is how traceroute6 works. You can try to rebuild traceroute6 without IPSEC support, and I think it will work like you want. 

Index: usr.sbin/traceroute6/Makefile
===================================================================
--- usr.sbin/traceroute6/Makefile	(revision 312816)
+++ usr.sbin/traceroute6/Makefile	(working copy)
@@ -22,7 +22,7 @@ SRCS=	as.c traceroute6.c
 BINOWN=	root
 BINMODE= 4555
 
-CFLAGS+= -DIPSEC -DUSE_RFC2292BIS -DHAVE_POLL
+CFLAGS+= -DUSE_RFC2292BIS -DHAVE_POLL
 CFLAGS+= -I${.CURDIR} -I${TRACEROUTE_DISTDIR} -I.
 
 WARNS?=	3

PS. I'm not sure, but, IMHO, almost all IPSEC related code in the traceroute6 is dead and should be removed. At least we have not implemented in our kernel all these IPV6_[ESP|AUTH]_XXX socket options, that traceroute6 tries to configure.