From: Aidas Kasparas <a.kasparas@gmc.lt>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: latten@austin.ibm.com, ipsec-tools-devel@lists.sourceforge.net,
netdev@oss.sgi.com
Subject: Re: [Ipsec-tools-devel] ipv4/ipv6 forwarding check
Date: Fri, 29 Oct 2004 11:09:25 +0300 [thread overview]
Message-ID: <4181FAB5.4010005@gmc.lt> (raw)
In-Reply-To: <E1CNR73-0007X6-00@gondolin.me.apana.org.au>
Herbert Xu wrote:
> Aidas Kasparas <a.kasparas@gmc.lt> wrote:
>
>> Meanwhile, I would like to recomend to abstain from upgrading to
>>anything above 2.6.9.
>
>
> Doesn't sound like a good idea as that's a massive security hole.
>
> Racoon with a pre-2.6.9 kernel will allow source addresses to come
> through the IPsec tunnel even if the violate IPsec policies.
Ok, my dear coleagues admins, decide for yourself. Facts are:
If you upgrade, your system will not work.
If you do not upgrade, and on host c.c.c.c you have policy
a.a.a.a b.b.b.b any -P in esp/.../
where b.b.b.b is address different from any interface address of host
with address c.c.c.c and
1) some party h.h.h.h will be able to spoof packet to look from a.a.a.a
to b.b.b.b;
2) transport that packet to c.c.c.c
3) that packet will not be filtered out by rp_filter on c.c.c.c
then kernel will pass that packet through to b.b.b.b, even if that
packet is not protected by esp.
It is possible to prevent that from happening by marking esp packets and
later accepting for forwarding only marked packets from a.a.a.a to
b.b.b.b using iptables. Yes, I have insisted in the past this is not
necessary. I was wrong. I'm sorry. I did not knew about this kernel's
feature.
[Have I missed any other case?]
Which way to choose for the short term -- decission is after you.
--
Aidas Kasparas
IT administrator
GM Consult Group, UAB
next prev parent reply other threads:[~2004-10-29 8:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200410300506.i9U56Yse005815@faith.austin.ibm.com>
2004-10-29 7:05 ` [Ipsec-tools-devel] ipv4/ipv6 forwarding check Aidas Kasparas
2004-10-29 7:04 ` David S. Miller
2004-10-29 7:23 ` Herbert Xu
2004-10-29 8:09 ` Aidas Kasparas [this message]
2004-10-29 9:27 ` Michal Ludvig
2004-11-05 10:27 ` Michal Ludvig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4181FAB5.4010005@gmc.lt \
--to=a.kasparas@gmc.lt \
--cc=herbert@gondor.apana.org.au \
--cc=ipsec-tools-devel@lists.sourceforge.net \
--cc=latten@austin.ibm.com \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).