From atc@death.ath.cx  Tue Apr  8 11:04:45 2008
Return-Path: <atc@death.ath.cx>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 70EE3106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:04:45 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (unknown [IPv6:2001:b121:4::213])
	by mx1.freebsd.org (Postfix) with ESMTP id D99108FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  8 Apr 2008 11:04:44 +0000 (UTC)
	(envelope-from atc@death.ath.cx)
Received: from death.ath.cx (localhost [127.0.0.1])
	by death.ath.cx (8.13.8/8.13.8) with ESMTP id m38B4fHB091489
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 8 Apr 2008 19:04:41 +0800 (CST)
	(envelope-from atc@death.ath.cx)
Received: (from root@localhost)
	by death.ath.cx (8.13.8/8.13.8/Submit) id m38B4eC7091488;
	Tue, 8 Apr 2008 19:04:40 +0800 (CST)
	(envelope-from atc)
Message-Id: <200804081104.m38B4eC7091488@death.ath.cx>
Date: Tue, 8 Apr 2008 19:04:40 +0800 (CST)
From: susan.lan@zyxel.com.tw
Reply-To: susan.lan@zyxel.com.tw
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPsec AH tunneled packet mis handling?	
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         122562
>Category:       kern
>Synopsis:       [ipsec] IPsec AH tunneled packet mis handling?
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 08 11:10:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:02:51 UTC 2014
>Originator:     Yi-Wen Lan
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
>Environment:
System: 
	2 FreeBSD7.0-Release i386 PCs
>Description:
	In the very beginning of ip6_input():

#ifdef IPSEC
  /*
   * should the inner packet be considered authentic?
   * see comment in ah4_input().
   */
  if (m) {
      m->m_flags &= ~M_AUTHIPHDR;
      m->m_flags &= ~M_AUTHIPDGM;
  }
#endif

Consider the case: a packet is encrypted as AH tunneled, and FreeBSD is the end point of the tunnel. After it tore off the outer IPv6 header, the mbuf will be inserted to NETISR again. Then ip6_forward() will be called again to process the packet. However, in ipsec6_in_reject(), the packet's source and destination will match the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR and M_AUTHIPDGM, the packet will be dropped.

I don't think with the codes AH tunnel could work properly. 

>How-To-Repeat:
	Set IPsec rules as AH tunnel for the 2 PCs; send ICMP echo request from
one end of the tunnel to the other end. However, the echo reply will never be returned since the packet is not successfully sent out. 

>Fix:

	I think the flag should be kept!

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Apr 8 12:25:52 UTC 2008 
Responsible-Changed-Why:  
mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122562 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:02:41 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122562 
>Unformatted:
