From nobody@FreeBSD.org  Wed Oct  1 19:36:02 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 84D3D1065687
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Oct 2008 19:36:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 71CD68FC29
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Oct 2008 19:36:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m91Ja2Pt047116
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 1 Oct 2008 19:36:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m91Ja2KR047114;
	Wed, 1 Oct 2008 19:36:02 GMT
	(envelope-from nobody)
Message-Id: <200810011936.m91Ja2KR047114@www.freebsd.org>
Date: Wed, 1 Oct 2008 19:36:02 GMT
From: Cyrus Rahman <crahman@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPSEC with IPv6 fails to pass traffic through enc0 interface
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127785
>Category:       kern
>Synopsis:       IPSEC with IPv6 fails to pass traffic through enc0 interface
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 01 19:40:03 UTC 2008
>Closed-Date:    Thu Oct 02 00:59:09 UTC 2008
>Last-Modified:  Sun Oct  5 17:50:02 UTC 2008
>Originator:     Cyrus Rahman
>Release:        FreeBSD 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD silva.signetica.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Thu Sep 25 23:49:02 MDT 2008     cr@silva.signetica.com:/usr/src/sys/amd64/compile/SIGNETICA  amd64

>Description:
The enc0 interface is supposed to inherit all IPSEC traffic, allowing packet filters to perform their work with knowledge of the packet's contents.

This works as expected in IPv4.

In IPv6, no IPSEC traffic is passed to enc0.  As a result, firewall rules are bypassed silently.
>How-To-Repeat:
Set up an IPv6 security association between two hosts and observe that all formerly firewall-blocked traffic can now pass freely.
>Fix:
The new IPSEC simply doesn't contain code to do this for IPv6.

Until such code is written it would be prudent to include a warning in the enc(4) manual page mentioning that IPv6 IPSEC traffic will not be visible to the enc interface, and that therefore firewall rules will not be applied to such traffic.


>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/127785: IPSEC with IPv6 fails to pass traffic through enc0
 interface
Date: Wed, 1 Oct 2008 20:25:35 +0000 (UTC)

 On Wed, 1 Oct 2008, Cyrus Rahman wrote:
 
 > The new IPSEC simply doesn't contain code to do this for IPv6.
 
 FreeBSD HEAD does.
 
 http://svn.freebsd.org/viewvc/base?view=revision&revision=174054
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Thu Oct 2 00:58:54 UTC 2008 
State-Changed-Why:  
Already fixed in -CURRENT. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127785 
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Fri Oct 3 15:54:07 UTC 2008 
Responsible-Changed-Why:  
Change Resp.: to me in case of follow-ups. 
Trying to get the change MFCed to 7-STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127785 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127785: commit references a PR
Date: Sun,  5 Oct 2008 17:44:45 +0000 (UTC)

 bz          2008-10-05 17:41:46 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     share/man/man4       enc.4 
     sys/net              if_enc.c 
     sys/netipsec         ipsec.h ipsec_input.c ipsec_output.c 
                          xform.h xform_ipip.c 
   Log:
   SVN rev 183630 on 2008-10-05 17:41:46Z by bz
   
   MFC:
      rev. 1.7 net/if_enc.c
      rev. 1.14 netipsec/ipsec.h, 1.20 netipsec/ipsec_input.c
      rev. 1.17 netipsec/ipsec_output.c
      rev. 1.4 netipsec/xform.h, 1.16 netipsec/xform_ipip.c
      SVN r174054, 174055
   
     Add sysctls to if_enc(4) to control whether the firewalls or
     bpf will see inner and outer headers or just inner or outer
     headers for incoming and outgoing IPsec packets.
   
     This is useful in bpf to not have over long lines for debugging
     or selcting packets based on the inner headers.
     It also properly defines the behavior of what the firewalls see.
   
     Last but not least it gives you if_enc(4) for IPv6 as well.
   
     [ As some auxiliary state was not available in the later
       input path we save it in the tdbi. That way tcpdump can give a
       consistent view of either of (authentic,confidential) for both
       before and after states. ]
   
     Note: The defaults were not changed but you may want to do that.
           See the the man page for more details.
   
   PR:             kern/127785
   Approved by:    re (gnn)
   
   Revision  Changes    Path
   1.5.2.1   +52 -7     src/share/man/man4/enc.4
   1.6.2.3   +74 -11    src/sys/net/if_enc.c
   1.13.2.2  +9 -2      src/sys/netipsec/ipsec.h
   1.19.2.2  +21 -2     src/sys/netipsec/ipsec_input.c
   1.16.2.3  +24 -2     src/sys/netipsec/ipsec_output.c
   1.3.2.1   +3 -0      src/sys/netipsec/xform.h
   1.15.2.1  +15 -1     src/sys/netipsec/xform_ipip.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
