lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 28 May 2020 10:28:34 +0100
From:   Kai Wohlfahrt <kai.wohlfahrt@...il.com>
To:     netdev@...r.kernel.org
Subject: Packets to own IP are sent via IPSec tunnel with IPv6

Hi all,

I noticed strange behaviour with an IPSec tunnel set up with strongswan.
Discussing the issue on IRC, a strongswan developer suggested the issue
is due to a kernel bug and I should ask here.

The client connects to the server and is assigned an IPv6 address
from a pool. The remote traffic selector of the tunnel includes this
virtual IP so that multiple clients can communicate. However, when the
client tries to ping its own virtual IP, traffic goes over the tunnel
instead of via the loopback adapter (this shows in the TTL of the
packet, latency > 1ms and strongswan's traffic counters). If the virtual
IP addresses are IPv4, this issue does not occur. I'm running kernel
5.4.41 and strongswan 5.8.1. The output of relevant commands is included
below (IPs snipped), with more information including strongswan and
kernel config at [1].

On suggestion of strongswan developers, I tried to set
`net.ipv6.conf.lo.disable_policy=1`, this made no visible difference. Is
this a kernel bug, or other issue? I'm happy to help debug or test other
configurations.

Many thanks,
Kai

[1]: https://gist.github.com/kwohlfahrt/6db96db25e44ae208178335b2cdb9523/0d14b393d659c9adce6a8c925656dd6b90dc65e0

$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fd01::3/128 scope global nodad
        valid_lft forever preferred_lft forever
     inet6 2a00::e4df/64 scope global dynamic mngtmpaddr noprefixroute
        valid_lft 315359984sec preferred_lft 315359984sec
     inet6 fdaa::e4df/64 scope global mngtmpaddr noprefixroute
        valid_lft forever preferred_lft forever
     inet6 fe80::e4df/64 scope link
        valid_lft forever preferred_lft forever

$ ping -c3 fd01::3
PING fd01::3(fd01::3) 56 data bytes
64 bytes from fd01:: icmp_seq=1 ttl=63 time=306 ms
64 bytes from fd01:: icmp_seq=2 ttl=63 time=6.64 ms
64 bytes from fd01:: icmp_seq=3 ttl=63 time=8.02 ms

--- fd01::3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 6.636/106.842/305.875/140.738 ms

$ ip -6 route show table all
fd01::/64 via 2a00::280e dev wlp3s0 table 220 proto static src fd01::3 metric 1024 pref medium
fdaa:::/64 via 2a00::280e dev wlp3s0 table 220 proto static src fd01::3 metric 1024 pref medium
::1 dev lo proto kernel metric 256 pref medium
2a00:::/64 dev wlp3s0 proto ra metric 303 mtu 1488 pref medium
fd01::3 dev wlp3s0 proto kernel metric 256 pref medium
fdaa:::/64 dev wlp3s0 proto ra metric 303 mtu 1488 pref medium
fe80::/64 dev wlp3s0 proto kernel metric 256 pref medium
default via fe80::44af dev wlp3s0 proto ra metric 303 mtu 1488 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a00::e4df dev wlp3s0 table local proto kernel metric 0 pref medium
local fd01::3 dev wlp3s0 table local proto kernel metric 0 pref medium
local fdaa::e4df dev wlp3s0 table local proto kernel metric 0 pref medium
local fe80::e4df dev wlp3s0 table local proto kernel metric 0 pref medium
ff00::/8 dev wlp3s0 table local metric 256 pref medium
ff00::/8 dev enp4s0 table local metric 256 linkdown pref medium

$ ip -6 xfrm policy
src fd01::3/128 dst fdaa:::/64
	dir out priority 301695
	tmpl src 2a00::e4df dst 2a00::280e
		proto esp spi 0xc0a4e6ee reqid 3 mode tunnel
src fd01::3/128 dst fd01::/64
	dir out priority 301695
	tmpl src 2a00::e4df dst 2a00::280e
		proto esp spi 0xc0a4e6ee reqid 3 mode tunnel
src fdaa:::/64 dst fd01::3/128
	dir fwd priority 301695
	tmpl src 2a00::280e dst 2a00::e4df
		proto esp reqid 3 mode tunnel
src fdaa:::/64 dst fd01::3/128
	dir in priority 301695
	tmpl src 2a00::280e dst 2a00::e4df
		proto esp reqid 3 mode tunnel
src fd01::/64 dst fd01::3/128
	dir fwd priority 301695
	tmpl src 2a00::280e dst 2a00::e4df
		proto esp reqid 3 mode tunnel
src fd01::/64 dst fd01::3/128
	dir in priority 301695
	tmpl src 2a00::280e dst 2a00::e4df
		proto esp reqid 3 mode tunnel
src ::/0 dst ::/0
	socket in priority 0
src ::/0 dst ::/0
	socket out priority 0
src ::/0 dst ::/0
	socket in priority 0
src ::/0 dst ::/0
	socket out priority 0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ