| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200709181257.58598.wolfgang.walter@studentenwerk.mhn.de>
Date: Tue, 18 Sep 2007 12:57:58 +0200
From: Wolfgang Walter <wolfgang.walter@...dentenwerk.mhn.de>
To: netdev@...r.kernel.org
Cc: herbert@...dor.apana.org.au, davem@...emloft.net
Subject: ipsec: icmp fragmentation-needed from ipsec-gateway is not encrypted
Hello,
I have the following problem:
router A has two interfaces eth0 and eth1.
router B has two interfaces eth0 and eth1.
The networks on A:eth1 and B:eth1 are connected over an ipsec-tunnel.
the mtu on A:eth1 is 1400 (all others are 1500).
both run 2.6.22.6
If I now ping a host HA on A:eth1 from host HB on B:eth1 with packet size
greater 1400 the ping fails.
tcpdump on A:eth0 shows
an esp-tunnel-packet from B comes in
icmp echo-request packet from HB to HA comes in
(the decrypted esp-packet)
an unecrypted icmp fragmentation-needed packet to HB from A (ip of eth1) sent
out
It seems to me that this fragementation-needed packet generated by B is not
handled by ipsec, is sent out unencrypted instead and this is the reason it
does not reach HB.
I should not see the unecrypted packet going out at all? Because if I ping
A:eth1 from HB then I don't see the unencrypted echo-reply packet (which has
the same source-address as the fragmentation needed) but only the outgoing
esp-packet (and the echo-reply reaches HB, by the way).
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists