From nobody@FreeBSD.org  Mon Jan 18 15:26:52 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 835331065670
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jan 2010 15:26:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 57D698FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jan 2010 15:26:52 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o0IFQo22026786
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jan 2010 15:26:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o0IFQoEa026785;
	Mon, 18 Jan 2010 15:26:50 GMT
	(envelope-from nobody)
Message-Id: <201001181526.o0IFQoEa026785@www.freebsd.org>
Date: Mon, 18 Jan 2010 15:26:50 GMT
From: Matthijs Kooijman <matthijs@stdin.nl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPSec doesn't work with link-local addresses on FreeBSD 6
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         142937
>Category:       kern
>Synopsis:       [ipsec] [patch] IPSec doesn't work with link-local addresses on FreeBSD 6
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 18 15:30:03 UTC 2010
>Closed-Date:    Sat Oct 16 19:56:48 UTC 2010
>Last-Modified:  Sat Oct 16 19:56:48 UTC 2010
>Originator:     Matthijs Kooijman
>Release:        FreeBSD 6.4
>Organization:
I.C.T.S.V. Inter-Actief
>Environment:
>Description:
(Please assign this bug to Bjoern A. Zeeb <bz@FreeBSD.org> at his request)

I've been trying to get ipsec working on a FreeBSD 6.4 box, and found a bug. This bug is specific to FreeBSD 6, since it is in the original IPSEC implementation (that got removed in FreeBSD 7 and replaced with FAST_IPSEC).

However, since the bug might still be worth fixing for people running FreeBSD 6, I'll describe it anyway.

The bug occurs when using link-local addresses for ipsec. The kernel is then unable to find the right SA for an incoming packet. The cause of this lies in the scope identifier of the address. These scope identifiers are initially embedded in the full address (in the 3rd and 4th byte IIRC).

When addresses are stored in the sadb, these scope id's are left embedded (even though the addresses are stored in a sockaddr_in6 struct with the scope id field left to 0). However, when looking for a matching SA in key_allocsa, the zone id is recovered from the address and put into the zone id field before comparison. This means the address will never match.

A simple fix (as attached) is not to recover the zone id and just always leave it embedded. I think it would be better to always recover the zone id instead, but I don't know the code well enough to produce a patch for that.

The patch attached is currently in use on a production system and has showed up no problems so far. However, I've discussed this with Bjoern through email and he thinks it needs a better look first. Hence this PR.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Leave the ipv6 link-local scope embedded in the address when looking for a
security association. This makes incoming ipv6 packets on a link-local address
work again.

It is probably more elegant to do the reverse: Recover the scope from the
address when storing the SA (in or around KEY_SETSECASIDX), so that is always
recovered instead of never. However, this patch is simpler and seems to work as
well.

This patch applies to the IPSEC implementation (not FAST_IPSEC) that was
removed in 7.0. It is made against the 6.4 sources.
--- sys/netkey/key.c
+++ sys/netkey/key.c
@@ -1040,9 +1040,9 @@
 #ifdef INET6
 		case AF_INET6:
 			bcopy(dst, &sin6.sin6_addr, sizeof(sin6.sin6_addr));
+			/* Leave the ipv6 link-local scope embedded in the
+			 * address, since the SA also has it embedded. */
 			sin6.sin6_scope_id = 0;
-			if (sa6_recoverscope(&sin6))
-				continue;
 			if (key_sockaddrcmp((struct sockaddr *)&sin6,
 			    (struct sockaddr *)&sav->sah->saidx.dst, 0) != 0)
 				continue;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jan 18 22:32:41 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142937 
Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Jan 19 07:34:08 UTC 2010 
Responsible-Changed-Why:  
This is mine; I have looked before. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142937 
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Fri Oct 15 15:39:36 UTC 2010 
State-Changed-Why:  
Sent mail to see if I can just close it leaving it broken. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142937 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, matthijs@stdin.nl
Cc:  
Subject: Re: kern/142937: [ipsec] [patch] IPSec doesn't work with link-local
 addresses on FreeBSD 6
Date: Fri, 15 Oct 2010 15:38:48 +0000 (UTC)

 Hi,
 
 whenever looking I could never convince me to possibly break RELENG_6
 or do major reworks after the last RELEASE had been out.
 I hope you are not mad at me, but I would like to leave it at that and
 close the PR given RELENG_6 will be out of support in less than two
 months.  Your local workaround is well documented publicly with the PR
 should anyone run into that problem.  Are you ok with that?
 
 /bz
 
 -- 
 Bjoern A. Zeeb                              Welcome a new stage of life.

From: Matthijs Kooijman <matthijs@stdin.nl>
To: "Bjoern A\. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/142937: [ipsec] [patch] IPSec doesn't work with
	link-local addresses on FreeBSD 6
Date: Sat, 16 Oct 2010 21:04:23 +0200

 --BVnlfx26zxZBa5yT
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi Bjoern,
 
 > whenever looking I could never convince me to possibly break RELENG_6
 > or do major reworks after the last RELEASE had been out.
 > I hope you are not mad at me, but I would like to leave it at that and
 > close the PR given RELENG_6 will be out of support in less than two
 > months.  Your local workaround is well documented publicly with the PR
 > should anyone run into that problem.  Are you ok with that?
 Seems like the sensible thing to do, so no objections here :-)
 
 Thanks for looking at this anyway.
 
 Gr.
 
 Matthijs
 
 --BVnlfx26zxZBa5yT
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: Digital signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iEYEARECAAYFAky59zcACgkQz0nQ5oovr7xQMgCglQ0bjFoVjwGEIYpA8sIE/tee
 +5AAn2Qcs4lRfcQJAmj13gvlvnw0IXfw
 =NihL
 -----END PGP SIGNATURE-----
 
 --BVnlfx26zxZBa5yT--
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Sat Oct 16 19:56:05 UTC 2010 
State-Changed-Why:  
Submitter agrees that it may be closed depsite not being fixed. 
The workaround is documented in this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142937 
>Unformatted:
