lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Aug 2011 09:34:45 +0300 (EEST) From: Julian Anastasov <ja@....bg> To: Herbert Xu <herbert@...dor.hengli.com.au> cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH net-next] ipv4: one more case for non-local saddr in ICMP Hello, On Sat, 20 Aug 2011, Herbert Xu wrote: > On Fri, Aug 19, 2011 at 03:43:54AM -0700, David Miller wrote: > > From: Julian Anastasov <ja@....bg> > > Date: Mon, 15 Aug 2011 19:21:23 +0300 (EEST) > > > > > > > > May be there is one more case that we can avoid using > > > non-local source for ICMP errors: xfrm_lookup, num_xfrms = 0 when > > > reverse "Flow passes untransformed". Avoid using the input route > > > if xfrm_lookup returns same dst. > > > > > > Signed-off-by: Julian Anastasov <ja@....bg> > > > --- > > > > > > In fact, should we use local IP in all cases when > > > sending ICMP? I'm asking it for the following case: > > > > > > Large packet is forwarded but is rejected with ICMP FRAG > > > NEEDED. We usually send ICMP with local saddr instead of the > > > original non-local destination. What is the role of > > > this reverse check? May be after xfrm_decode_session_reverse > > > we should use 'fl4_dec.saddr = fl4->saddr;' so that xfrm_lookup > > > works with ICMP from local IP? What is right thing to do here? > > > I don't see code that looks in the embedded header... > > > > Well.. this relookup behavior is guided by a special transform state > > XFRM_STATE_ICMP that the user must explicitly create IPSEC rules for. > > > > Presumably they are going to add real transforms to such special IPSEC > > rules, not create NOP ones with no transforms. And if they do create > > such IPSEC state with no transforms, perhaps the intention is to trigger > > to use of the non-local source. > > > > The whole thing revolves around how Herbert envisions people implementing > > RFC4301 support using this new XFRM_STATE_ICMP thing. > > > > Right? I see, RFC 4301 prescribes reverse check for ICMP errors to reuse SA as a fallback mechanism. Even if we send ICMP packet via some tunnel to the previous secure gateway, shouldn't the ICMP receiver prefer to see our local IP as ICMP sender? > The intention of XFRM_STATE_ICMP is to automatically allow inbound > IPsec-protected ICMP packets (remember that IPsec tunnels are not > automatically allowed, as that opens room for address spoofing). > > Imagine if you have a policy P that allows IPsec packets with inner > addresses going from S to D. The purpose of this is to ensure that > ICMP packets from D to S are automatically allowed. OK, thanks for the information! I don't have setup for further tests, I hope things still work somehow, even if we fallback to unprotected ICMP with non-local source which was the only concern for me. I think, using local IP for ICMP packets is preferred to help firewalling. I just notice that if original packet (say TCP) hits "fwd" policy, for the locally generated ICMP error we call xfrm_lookup with sk = NULL and it always uses "out" dir for the flow_cache_lookup call to search for this reverse SA. So, we must be prepared with rules in "out" dir even for the forwarding case? icmp flag in "fwd" rules is not considered? Regards -- Julian Anastasov <ja@....bg> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists