Fw: [Bug 196839] New: use_time of IPsec policy is updated even when receiving error packets.

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: netdev@vger.kernel.org
Subject: Fw: [Bug 196839] New: use_time of IPsec policy is updated even when receiving error packets.
Date: Wed, 6 Sep 2017 08:38:33 -0700	[thread overview]
Message-ID: <20170906083833.0dcab8a6@xeon-e3> (raw)

Begin forwarded message:

Date: Wed, 06 Sep 2017 10:18:33 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 196839] New: use_time of IPsec policy is updated even when receiving error packets.

https://bugzilla.kernel.org/show_bug.cgi?id=196839

            Bug ID: 196839
           Summary: use_time of IPsec policy is updated even when
                    receiving error packets.
           Product: Networking
           Version: 2.5
    Kernel Version: 4.8.0
          Hardware: Intel
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: stephen@networkplumber.org
          Reporter: cchenme@gmail.com
        Regression: No

Normally the use_time of policy in SPD is updated if the policy is matched by
incoming or outgoing IP packets. For protect policy, it is updated if ESP/AH
packets are sent or received.

The use_time of SPD_IN policy used by IKE implementation like strongSwan to
check whether there is inbound traffic, thus determine whether it is necessary
to send DPD(dead peer detection, rfc3706) request to check liveness of IPsec
peer.

In case an unprotected packet is received but matches the IPsec SPD IN protect
policy, the packet will be discarded and the error counter XfrmInTmplMismatch
in /proc/net/xfrm_stat is incremented.

But in such error/malicious case, the use_time of SPD IN policy is also
updated. This cause strongSwan to mistakenly regard that the policy is in use
and not to trigger DPD request even when it should.

In short, this is a security hole in kernel and could lead to DoS attack on
IPsec gateway running on Linux.

-- 
You are receiving this mail because:
You are the assignee for the bug.

                 reply	other threads:[~2017-09-06 15:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170906083833.0dcab8a6@xeon-e3 \
    --to=stephen@networkplumber.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).