| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jan 2008 21:37:22 +0100 From: "Marco Berizzi" <pupilla@...mail.com> To: <netdev@...r.kernel.org> Subject: arp queries and ipsec policy Hello everybody. I'm using openswan 2.4.x to drive the linux 2.4.23.14 ipsec native stack (netkey). Openswan by default insert a static route when an ipsec SA is established: this is needed by the klips stack as it is routing based. For example when a roadwarrior establish an ipsec SA with the linux box I see a static route like this: # ip r s road_warrior_public_ip dev eth0 scope link This static route is placed by the default updown script. When there is this route, I see linux doing arp queries for the road_warrior_public_ip: # tcpdump -pnvi eth0 arp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:25:11.608179 arp who-has road_warrior_public_ip tell linux_public_ip_address 17:25:12.608171 arp who-has road_warrior_public_ip tell linux_public_ip_address 17:25:13.608224 arp who-has road_warrior_public_ip tell linux_public_ip_address Is this behaviour expected? I have seen this behaviour today because the ISP router isn't configured with proxy_arp and linux is unable to send the ESP packets because the is no arp reply from nobody. However it is able to receive/decrypt them: # tcpdump -pnvi eth0 ip host road_warrior_public_ip tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:24:55.107497 IP (tos 0x0, ttl 120, id 55048, offset 0, flags [none], proto: ESP (50), length: 112) road_warrior_public_ip > linux_public_ip_address: ESP(spi=0xe215d75f,seq=0x25), length 92 17:24:55.109304 IP (tos 0x0, ttl 128, id 2262, offset 0, flags [none], proto: ICMP (1), length: 60) road_warrior_public_ip > 172.25.5.4: ICMP echo request, id 512, seq 50694, length 40 I have resolved the problem modifying the updown script so it doesn't place the static route anymore. PS: default parameters for eth0 on /proc except proxy_arp, arp_announce and rp_filter -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists