>Number:         34734
>Category:       kern
>Synopsis:       ipsec tunnels over ipv6 are broken
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 06 16:20:00 +0000 2006
>Originator:     Michael van Elst
>Release:        NetBSD 3.1_RC1
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:
	
	
System: NetBSD fud 4.0_BETA NetBSD 4.0_BETA (FUD) #1: Tue Oct  3 01:09:13 CEST 2006  mlelstv@henery:/home/netbsd4/obj/home/netbsd4/src/sys/arch/i386/compile/FUD i386
Architecture: i386
Machine: i386
>Description:
IPsec tunnels over ipv6 do not work in netbsd-4 and -current
due to a broken KAME update.

In netinet6/ipsec.c several calls the in6_embedscope were removed.
The function ipsec6_tunnel_validate however uses this to convert
a sockaddr_in6 to a in6_addr for comparison.

        case AF_INET6:
                sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);
-               in6_embedscope(&in6, sin6, NULL, NULL);
                if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6))
                        return 0;
                break;

Without the call the in6 structure isn't initialized.

>How-To-Repeat:
Create an IPSEC tunnel over ipv6. Watch packets disappear, they are
still counted on the raw ip interface:

% netstat -p rip6
rip6:
        5191 messages received
        0 checksum calculations on inbound
        0 messages with bad checksum
        5191 messages dropped due to no socket
        0 multicast messages dropped due to no socket
        0 messages dropped due to full socket buffers
        0 delivered
        0 datagrams output

>Fix:
Restoring the call probably helps, but in6_embedscope is deprecated.


>Unformatted: