| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Dec 2008 06:18:09 -0800 (PST)
From: Joerg Pommnitz <pommnitz@...oo.com>
To: netdev@...r.kernel.org
Subject: Re: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
Hello,
has anybody read this and could comment?
--
Regards
Joerg
--- Joerg Pommnitz <pommnitz@...oo.com> schrieb am Fr, 19.12.2008:
> Von: Joerg Pommnitz <pommnitz@...oo.com>
> Betreff: Bug? Undocumented interaction between IPv6 IPsec and iptables MARK target
> An: netdev@...r.kernel.org
> Datum: Freitag, 19. Dezember 2008, 10:26
> Hello all,
> the following script demonstrates a behaviour of IPv6 IPsec
> that I would
> consider to be a bug (tested with 2.6.23 and 2.6.27-9 from
> Ubuntu Intrepid):
>
> ======================================================
> #!/bin/bash
> ip addr add dev eth0 2001:1b10:1001:ff00::0001/64
> setkey -c << __EOF__
> spdflush;
> flush;
>
> add 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::0002 esp
> 0x00000005 -m tunnel -E rijndael-cbc
> 0xefe8e2e8a43e518afa8e9474ad9a4abf986807fc178bd192;
> spdadd 2001:1b10:1001:ff00::0001 2001:1b10:1001:ff00::/64
> any -P out ipsec
> esp/tunnel/2001:1b10:1001:ff00::0001-2001:1b10:1001:ff00::0002/require;
> __EOF__
>
> ip6tables -t mangle -A OUTPUT -d 2001:1b10:1001:ff00::2 -j
> MARK --set-mark=1
>
> ping6 2001:1b10:1001:ff00::2
> ======================================================
>
> This script adds an IPsec policy that should encrypt
> packets sent to
> 2001:1b10:1001:ff00::2. This works fine as long as no MARK
> value is
> assigned to the packets. When one applies a MARK value
> different from 0,
> the policy doesn't match any more. In IPv4 the IPsec
> policies are
> unaffected by the MARK.
>
> So: Is this intended on the kernel side? If yes, how can I
> write manual
> policies that either ignore the MARK value or contain a
> matching value?
>
> Thanks in advance and kind regards
> Joerg
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists