| To: | "Christopher K. Johnson" <ckjohnson@xxxxxxx> |
|---|---|
| Subject: | Re: IPsec tunnel mode bug - malformed, misaddressed packets |
| From: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
| Date: | Mon, 18 Oct 2004 11:08:16 +1000 |
| Cc: | netdev@xxxxxxxxxxx |
| In-reply-to: | <41725CF5.2010606@gwi.net> |
| References: | <41725CF5.2010606@gwi.net> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Mutt/1.5.6+20040722i |
On Sun, Oct 17, 2004 at 11:52:21AM +0000, Christopher K. Johnson wrote: > There is an ipsec bug in FC2 kernel 2.6.8-1.521 for ipsec tunnel mode. > I have proven with a packet trace that some packets are > misaddressed. Specifically it constructs a packet of the form: > IP header1 | AH header | IP header2 | ESP This is purely a user-space error. The Linux IPsec stack is very flexible. In particular, you can configure it to generate non-sense such as the above quite easily. In this case, racoon needs to be taught that only the inner SA should be marked as tunnel mode. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 2.6]: Check against correct policy list in ip_forward/ip6_forward, Herbert Xu |
|---|---|
| Next by Date: | [Patch 2.4 0/2] e100/e1000: Documentation Update, Ganesh Venkatesan |
| Previous by Thread: | IPsec tunnel mode bug - malformed, misaddressed packets, Christopher K. Johnson |
| Next by Thread: | Re: IPsec tunnel mode bug - malformed, misaddressed packets, Christopher K. Johnson |
| Indexes: | [Date] [Thread] [Top] [All Lists] |