lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 19 Dec 2008 01:26:21 -0800 (PST)
From:	Joerg Pommnitz <pommnitz@...oo.com>
To:	netdev@...r.kernel.org
Subject: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target

Hello all,
the following script demonstrates a behaviour of IPv6 IPsec that I would
consider to be a bug (tested with 2.6.23 and 2.6.27-9 from Ubuntu Intrepid):

======================================================
#!/bin/bash
ip addr add dev eth0 2001:1b10:1001:ff00::0001/64 setkey -c << __EOF__ 
spdflush;
flush;

add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp 0x00000005 -m tunnel -E rijndael-cbc 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192;
spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64 any -P out ipsec esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require;
__EOF__

ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j MARK --set-mark=1

ping6 2001:1b10:1001:ff00::2
======================================================

This script adds an IPsec policy that should encrypt packets sent to 
2001:1b10:1001:ff00::2. This works fine as long as no MARK value is
assigned to the packets. When one applies a MARK value different from 0,
the policy doesn't match any more. In IPv4 the IPsec policies are 
unaffected by the MARK.

So: Is this intended on the kernel side? If yes, how can I write manual
policies that either ignore the MARK value or contain a matching value?

Thanks in advance and kind regards
  Joerg



      
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ