lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 05 Dec 2010 16:18:40 -0600
From:	Joy Latten <latten@...tin.ibm.com>
To:	netdev@...r.kernel.org
Cc:	samudrala@...ibm.com, rashmin@...ibm.com
Subject: IPsecv6  tunnel mode fragmentation

We have come across an ipsec problem that I think was
noted a while back in the following link.
http://www.mail-archive.com/netdev@vger.kernel.org/msg61659.html

When an icmpv6 pkt-too-big message for a destination
is received, it is processed and the route's mtu is adjusted.

Transport mode uses "adjusted" mtu and works ok, but tunnel-mode
which has inner and outer iphdrs has problems.

ah and esp leave it to the ipv6 layer to fragment.
So, it seems esp/ah tunnel mode can produce an outgoing ipsec tunnel
mode pkt whose inner pkthdr has the dst with the adjusted mtu,
but inner pkt size larger than the adjusted mtu.

The outer pkthdr has tunnel's dst mtu  which has not been 
adjusted, since the pkt-too-big message was not for it.
So, ipv6 layer will use outer mtu to decide whether to fragment or not.
It doesn't appear to use the inner, "adjusted" mtu.
In the tcpdump attached below, since outer mtu is larger than the
outgoing pkt's size, it is not fragmented.

Thus lies the problem. So when the link with the "adjusted" mtu
gets the decrypted packet, the decrypted pkt may be too large for the
link's mtu. The "adjusted" mtu was never regarded when creating the pkt.

Hopefully, I have explained this clearly, if not
let me know. Should esp/ah pre-fragment... or should mtu of 
inner pkt's dst be used for outer pkt? What's the best way to approach
this? Thanks for any info.

regards,
Joy 

ipsec config:

target <-------> Secuity gateway <-----> host
        (tunnel)

attachment is tcpdump from target.


Download attachment "target.bin" of type "application/octet-stream" (10236 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ