lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.1108230845510.1565@ja.ssi.bg>
Date:	Tue, 23 Aug 2011 09:34:45 +0300 (EEST)
From:	Julian Anastasov <ja@....bg>
To:	Herbert Xu <herbert@...dor.hengli.com.au>
cc:	David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] ipv4: one more case for non-local saddr in
 ICMP


	Hello,

On Sat, 20 Aug 2011, Herbert Xu wrote:

> On Fri, Aug 19, 2011 at 03:43:54AM -0700, David Miller wrote:
> > From: Julian Anastasov <ja@....bg>
> > Date: Mon, 15 Aug 2011 19:21:23 +0300 (EEST)
> > 
> > > 
> > > 	May be there is one more case that we can avoid using
> > > non-local source for ICMP errors: xfrm_lookup, num_xfrms = 0 when
> > > reverse "Flow passes untransformed". Avoid using the input route
> > > if xfrm_lookup returns same dst.
> > > 
> > > Signed-off-by: Julian Anastasov <ja@....bg>
> > > ---
> > > 
> > > 	In fact, should we use local IP in all cases when
> > > sending ICMP? I'm asking it for the following case:
> > > 
> > > 	Large packet is forwarded but is rejected with ICMP FRAG
> > > NEEDED. We usually send ICMP with local saddr instead of the
> > > original non-local destination. What is the role of
> > > this reverse check? May be after xfrm_decode_session_reverse
> > > we should use 'fl4_dec.saddr = fl4->saddr;' so that xfrm_lookup
> > > works with ICMP from local IP? What is right thing to do here?
> > > I don't see code that looks in the embedded header...
> > 
> > Well.. this relookup behavior is guided by a special transform state
> > XFRM_STATE_ICMP that the user must explicitly create IPSEC rules for.
> > 
> > Presumably they are going to add real transforms to such special IPSEC
> > rules, not create NOP ones with no transforms.  And if they do create
> > such IPSEC state with no transforms, perhaps the intention is to trigger
> > to use of the non-local source.
> > 
> > The whole thing revolves around how Herbert envisions people implementing
> > RFC4301 support using this new XFRM_STATE_ICMP thing.
> > 
> > Right?

	I see, RFC 4301 prescribes reverse check for ICMP errors
to reuse SA as a fallback mechanism. Even if we send ICMP packet via
some tunnel to the previous secure gateway, shouldn't the ICMP
receiver prefer to see our local IP as ICMP sender?

> The intention of XFRM_STATE_ICMP is to automatically allow inbound
> IPsec-protected ICMP packets (remember that IPsec tunnels are not
> automatically allowed, as that opens room for address spoofing).
> 
> Imagine if you have a policy P that allows IPsec packets with inner
> addresses going from S to D.  The purpose of this is to ensure that
> ICMP packets from D to S are automatically allowed.

	OK, thanks for the information! I don't have setup for
further tests, I hope things still work somehow, even if we
fallback to unprotected ICMP with non-local source which was
the only concern for me. I think, using local IP for ICMP packets
is preferred to help firewalling.

	I just notice that if original packet (say TCP) hits
"fwd" policy, for the locally generated ICMP error we call
xfrm_lookup with sk = NULL and it always uses "out" dir
for the flow_cache_lookup call to search for this reverse SA.
So, we must be prepared with rules in "out" dir even for
the forwarding case? icmp flag in "fwd" rules is not considered?

Regards

--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ