| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51706DAA.7050401@enst-bretagne.fr>
Date: Fri, 19 Apr 2013 00:03:22 +0200
From: Florent Fourcot <florent.fourcot@...t-bretagne.fr>
To: netdev@...r.kernel.org
Subject: Strange IPSec / ICMPv6 redirect behavior
Hi,
I have this kind of configuration on my network:
---------- -----------------
| |======= IPv6 ======| |
| Client | | |
| A::1 | | |
---------- | |
| IPSec Gateway |
----------------- | |
| IPv4 Gateway |=IPv6 in IPv4=| |
| to Internet | | |
----------------- -----------------
||
||IPv6 in IPv4
||
-----------
| Client |
| B::2 |
-----------
The IPSec gateway has only one network card, i.e. unencrypted packet
from the client come in eth0 and go out encrypted from eth0.
This work, but I get ICMP redirect like without IPSec encryption. A
simplified tcpdump output give this:
IP6 A::1 > B::2: ICMP6, echo request
IP6 fe80::3 > A::1: ICMP6, redirect, B::2 to B::2
IP A.B.C.D > E.F.G.H: ESP(spi=0x3be56104,seq=0xa494)
IP E.F.G.H > A.B.C.D: ESP(spi=0xce300198,seq=0x1958b)
IP6 B::2 > A::1: ICMP6, echo reply
Of course, the redirect is invalid, since the remote address is not
directly reachable. The kernel of the client complains with
"rt6_redirect: source isn't a valid nexthop for redirect target".
I can disable acceptance of ICMP redirect on the client, but it does not
look like a good solution (ICMP redirect still flood the network). Any
idea to solve this?
Regards,
--
Florent Fourcot.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists