From nobody@FreeBSD.org  Fri Dec  8 18:56:23 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 66DF837B401
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  8 Dec 2000 18:56:23 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id eB92uNg57643;
	Fri, 8 Dec 2000 18:56:23 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200012090256.eB92uNg57643@freefall.freebsd.org>
Date: Fri, 8 Dec 2000 18:56:23 -0800 (PST)
From: seraf@2600.com
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPsec transport mode precludes filtering on underlying transport header
X-Send-Pr-Version: www-1.0

>Number:         23400
>Category:       kern
>Synopsis:       IPsec transport mode precludes filtering on underlying transport header
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 08 19:00:01 PST 2000
>Closed-Date:    Mon Jun 28 22:10:21 GMT 2004
>Last-Modified:  Mon Jun 28 22:10:21 GMT 2004
>Originator:     Dominick LaTrappe
>Release:        RELENG_4
>Organization:
>Environment:
>Description:
With KAME IPsec in transport mode, and packet filtering (ipfilter or
ipfw), on FreeBSD 4, packets seem to be processed like:
        INPUT -> filters -> ipsec -> rest of ip stack
        rest of ipstack -> ipsec -> filters -> OUTPUT   

In this sequence, the transport-layer protocol appears to the filters
as ESP(50) or AH(51).  As such, the filters perform no inspection of the
underlying transport's parameters -- such as TCP port or ICMP message
type -- because they are encrypted, and/or because they are 'hidden'
behind the AH header.

Though the OpenBSD and FreeS/WAN implementations of IPsec present the
same limitation to outside packet filters (ipfilter or ipchains), they
compensate with their own packet-filtering options, which apply to a
pre-IPsec'd (outbound) or de-IPsec'd (inbound) packet.  FreeBSD IPsec
provides no such packet filtering.

The only solution right now is to make each packet pass through two
interfaces, once in its IPsec'd state, and once not, and perform packet
filtering on both.  This is natural with pipsecd or IPsec tunnel mode,
but IPsec transport mode still has this fundamental security limitation.

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Tue Jun 18 12:20:26 PDT 2002 
Responsible-Changed-Why:  
Take ownership of this since this problem has caught my attention. 
Some sites which to do post-IPsec processing of the recently tunnel- 
ejected packets. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=23400 
Responsible-Changed-From-To: rwatson->guido 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Thu Nov 6 22:06:41 PST 2003 
Responsible-Changed-Why:  
Guido and I had a long conversation about this at the FREENIX PC 
meeting early this year, and he merged some changes relating to the 
problem.  Assign the PR to him so he can decide if the fixes he 
committed solve this problem or not. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=23400 
Responsible-Changed-From-To: guido->net 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue Jun 22 16:48:10 GMT 2004 
Responsible-Changed-Why:  
Seems relevant to current work being done by andre@ and 
others in the area of layering/pfil_hooks 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23400 

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: freebsd-gnats-submit@FreeBSD.org, seraf@2600.com
Cc:  
Subject: Re: kern/23400: IPsec transport mode precludes filtering on underlying
 transport header
Date: Mon, 28 Jun 2004 21:25:28 +0000 (UTC)

 > o [2000/12/09] kern/23400  net         IPsec transport mode precludes filtering
 
 I think this one can be closed.
 
 We can do filtering of IP encapsulated in IPSec since
 
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c#rev1.34
 resp.
 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c#rev1.51
 
 with the ipsec flag.
 
 -- 
 Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
State-Changed-From-To: open->closed 
State-Changed-By: andre 
State-Changed-When: Mon Jun 28 22:07:07 GMT 2004 
State-Changed-Why:  
The functionality requested has been implemented in ip_fw2 and is 
available to 4-STABLE users as kernel compile time option. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23400 
>Unformatted:
