From louie@whizzo.transsys.com  Sun Mar 26 11:06:04 2000
Return-Path: <louie@whizzo.transsys.com>
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by hub.freebsd.org (Postfix) with ESMTP id A69DF37B933
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 26 Mar 2000 11:06:02 -0800 (PST)
	(envelope-from louie@whizzo.transsys.com)
Received: (from louie@localhost)
	by whizzo.transsys.com (8.9.3/8.9.1) id OAA00589;
	Sun, 26 Mar 2000 14:06:01 -0500 (EST)
	(envelope-from louie)
Message-Id: <200003261906.OAA00589@whizzo.transsys.com>
Date: Sun, 26 Mar 2000 14:06:01 -0500 (EST)
From: Louis Mamakos <louie@TransSys.COM>
Sender: louie@whizzo.transsys.com
Reply-To: louie@TransSys.COM
To: FreeBSD-gnats-submit@freebsd.org
Subject: traceroute vs. IPSEC surprise
X-Send-Pr-Version: 3.2

>Number:         17606
>Category:       bin
>Synopsis:       traceroute vs. IPSEC surprise
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 26 11:10:01 PST 2000
>Closed-Date:    Tue Jul 18 12:07:33 PDT 2000
>Last-Modified:  Tue Jul 18 12:11:30 PDT 2000
>Originator:     Louis Mamakos
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:

FreeBSD 5.0-current, with IPSECv4 configured.

>Description:

When doing a traceroute to a destination host, the packets emitted are
subject to whatever the default IPSEC policy is.  If the default
policy is to use an encrypted payload for all traffic to the
destination, the intermediate hops are unable to return an ICMP time
exceeded error.

>How-To-Repeat:

As described.

>Fix:

I dunno.  This could be a documentation bug.  This might be solved
by having traceroute supply it's own IPSEC policy to not send encrypted
traffic as long as reponses are being returned by intermediate hops.
It's unclear if this is a bug or a feature.



>Release-Note:
>Audit-Trail:

From: Louis Mamakos <louie@TransSys.COM>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/17606  bad IPSEC and traceroute interaction, with fix!
Date: Mon, 27 Mar 2000 23:52:10 -0500 (EST)

 >Submitter-Id:   current-users
 >Originator:     Louis Mamakos
 >Organization:   
 >Confidential:   no
 >Synopsis:       traceroute and kernel-IPSEC policy can interact badly
 >Severity:       non-critical
 >Priority:       medium
 >Category:       bin
 >Release:        FreeBSD 5.0-CURRENT i386
 >Class:          sw-bug
 >Environment: 
 
 FreeBSD 5.0-current, as of 25 March or so.  Kernel configured with
 IPSEC.
 
 >Description: 
 
 When the default kernel IPSEC policy (as configured with setkey(8)) 
 includes all the traffic to a particular host, then attempting a
 traceroute to that host fails.  The packets being sent are encrypted,
 and thus the ICMP time exceeded message cannot be returned.
 
 This is a follow-up to PR bin/17606
 
 >How-To-Repeat: 
 
 As described.
 
 >Fix: 
 
 Steal the same sort of fix done in traceroute6, and apply to the IPv4
 "standard" traceroute in FreeBSD.  Patch could be as attached.  
 Surprisingly, the ipsec.h file is in sys/netinet6 rather than sys/netinet.
 
 
 Index: contrib/traceroute/traceroute.c
 ===================================================================
 RCS file: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v
 retrieving revision 1.11
 diff -u -r1.11 traceroute.c
 --- contrib/traceroute/traceroute.c	1999/06/25 21:48:40	1.11
 +++ contrib/traceroute/traceroute.c	2000/03/28 04:38:10
 @@ -24,7 +24,7 @@
      "@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\
  The Regents of the University of California.  All rights reserved.\n";
  static const char rcsid[] =
 -    "@(#)$Header: /home/ncvs/src/contrib/traceroute/traceroute.c,v 1.10 1999/05/12 17:28:31 archie Exp $ (LBL)";
 +    "@(#)$Header: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v 1.11 1999/06/25 21:48:40 archie Exp $ (LBL)";
  #endif
  
  /*
 @@ -217,6 +217,11 @@
  
  #include <arpa/inet.h>
  
 +#ifdef	IPSEC
 +#include <net/route.h>
 +#include <netinet6/ipsec.h>	/* XXX */
 +#endif	/* IPSEC */
 +
  #include <ctype.h>
  #include <errno.h>
  #ifdef HAVE_MALLOC_H
 @@ -322,6 +327,9 @@
  char	*getaddr(u_int32_t *, char *);
  char	*getsin(struct sockaddr_in *, char *);
  char	*savestr(const char *);
 +#ifdef	IPSEC
 +int	setpolicy __P((int so, char *policy));
 +#endif
  void	send_probe(int, int);
  void	tvsub(struct timeval *, struct timeval *);
  __dead	void usage(void);
 @@ -718,6 +726,14 @@
  #endif
  	}
  
 +#if	defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
 +	if (setpolicy(sndsock, "in bypass") < 0) 
 +		errx(1, ipsec_strerror());
 +
 +	if (setpolicy(sndsock, "out bypass") < 0) 
 +		errx(1, ipsec_strerror());
 +#endif	/* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
 +
  	Fprintf(stderr, "%s to %s (%s)",
  	    prog, hostname, inet_ntoa(to->sin_addr));
  	if (source)
 @@ -884,6 +900,28 @@
  
  	return(cc);
  }
 +
 +#if	defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
 +int
 +setpolicy(so, policy)
 +	int so;
 +	char *policy;
 +{
 +	char *buf;
 +
 +	buf = ipsec_set_policy(policy, strlen(policy));
 +	if (buf == NULL) {
 +		warnx(ipsec_strerror());
 +		return -1;
 +	}
 +	(void)setsockopt(so, IPPROTO_IP, IP_IPSEC_POLICY,
 +		buf, ipsec_get_policylen(buf));
 +
 +	free(buf);
 +
 +	return 0;
 +}
 +#endif
  
  void
  send_probe(int seq, int ttl)
 Index: usr.sbin/traceroute/Makefile
 ===================================================================
 RCS file: /usr/local/FreeBSD/cvs/src/usr.sbin/traceroute/Makefile,v
 retrieving revision 1.11
 diff -u -r1.11 Makefile
 --- usr.sbin/traceroute/Makefile	1999/08/28 01:20:22	1.11
 +++ usr.sbin/traceroute/Makefile	2000/03/28 04:33:17
 @@ -4,7 +4,7 @@
  MAN8=	traceroute.8
  BINMODE=4555
  CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
 -	-DSTDC_HEADERS=1 
 +	-DSTDC_HEADERS=1 -DIPSEC
  # RTT Jitter on the internet these days means printing 3 decimal places on
  # > 1000ms times is plain useless.  Uncomment this to enable variable precision
  # reporting, ie: print a variable precision from 0.001ms through 1000ms
 @@ -12,6 +12,8 @@
  
  SRCS=	version.c traceroute.c
  CLEANFILES+=	version.c
 +DPADD=	${LIBIPSEC}
 +LDADD=	-lipsec
  
  TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute
  
 
 
 
Responsible-Changed-From-To: freebsd-bugs->shin 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Mar 29 02:27:43 PST 2000 
Responsible-Changed-Why:  
Inoue-san, could you take a look at this one? 
Responsible-Changed-From-To: shin->ume 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Jul 18 07:24:36 PDT 2000 
Responsible-Changed-Why:  
shin seems unavailable at the moment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17606 
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Tue Jul 18 12:07:33 PDT 2000 
State-Changed-Why:  
This PR is already applied by shin (traceroute.c rev 1.12) and MFCed. 
Maybe, shin forgot to close. 
Thank you! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17606 
>Unformatted:
