lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Tue, 23 Dec 2008 06:18:09 -0800 (PST)
From:	Joerg Pommnitz <pommnitz@...oo.com>
To:	netdev@...r.kernel.org
Subject: Re: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target

Hello,
has anybody read this and could comment?

-- 
Regards
       Joerg


--- Joerg Pommnitz <pommnitz@...oo.com> schrieb am Fr, 19.12.2008:

> Von: Joerg Pommnitz <pommnitz@...oo.com>
> Betreff: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
> An: netdev@...r.kernel.org
> Datum: Freitag, 19. Dezember 2008, 10:26
> Hello all,
> the following script demonstrates a behaviour of IPv6 IPsec
> that I would
> consider to be a bug (tested with 2.6.23 and 2.6.27-9 from
> Ubuntu Intrepid):
> 
> ======================================================
> #!/bin/bash
> ip addr add dev eth0 2001:1b10:1001:ff00::0001/64
> setkey -c << __EOF__ 
> spdflush;
> flush;
> 
> add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp
> 0x00000005 -m tunnel -E rijndael-cbc
> 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192;
> spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64
> any -P out ipsec
> esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require;
> __EOF__
> 
> ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j
> MARK --set-mark=1
> 
> ping6 2001:1b10:1001:ff00::2
> ======================================================
> 
> This script adds an IPsec policy that should encrypt
> packets sent to 
> 2001:1b10:1001:ff00::2. This works fine as long as no MARK
> value is
> assigned to the packets. When one applies a MARK value
> different from 0,
> the policy doesn't match any more. In IPv4 the IPsec
> policies are 
> unaffected by the MARK.
> 
> So: Is this intended on the kernel side? If yes, how can I
> write manual
> policies that either ignore the MARK value or contain a
> matching value?
> 
> Thanks in advance and kind regards
>   Joerg


      
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists