lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f595200d-46e5-b28c-fd3b-331ddad11347@thermi.consulting>
Date:   Wed, 29 Jan 2020 10:39:32 +0100
From:   Noel Kuntze <noel.kuntze@...rmi.consulting>
To:     netdev@...r.kernel.org, steffen.klassert@...unet.com,
        davem@...emloft.net
Subject: XFRM with bridged packets problem

Hello List, Steffen, Dave,

I have found a bug in XFRM/The IPv4 network stack.
Reproduced on 4.19.99 lts and 5.4.15.

Following my notes to the problem:

XFRM docker issue
================

Topology:
docker container with veth pair attached to docker0.
docker0 address 172.17.0.1, container address 172.17.0.2
IPsec policy based tunnel from 172.16.20.2/32 to 0.0.0.0/0
Passthrough policies for multicast, 172.17.0.0/16 to 172.17.0.0/16,
no matching policy for 172.17.0.2 == 0.0.0.0/0
Packets are sent through tunnel regardless
Packets with wrong source IP can be observed on other IPsec peer, traffic counters of incoming SA increases; One endpoint is on the internet, no shared link.

Naturally, the packets are dropped when they're received by the other peer because the policy doesn't match the negotiated policies don't match the packets.

After adding an SNAT rule on the docker host to change the packets' source address to 172.16.20.2, they match the policies on the server and make it onwards. Before then "XfrmInNoPols" in /proc/self/net/xfrm_stat is increased for every packet.

Please let me know what you think.

Kind regards

Noel

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C




Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ