Subject: Re: bug in netinet6/ipsec.c?
To: Emmanuel Dreyfus <manu@netbsd.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-kern
Date: 10/27/2004 14:02:41
All the code is doing is mapping a single 'use the default' codepoint
into one of 4 configured defaults (via sysctl) by switching on AH vs
ESP and transport vs. tunnel mode.
That's a bug; it makes no sense to use the compression default for AH.
Probably no one has been bothered by this because both the system
default policy and the defaults for {ah,esp}x{transport,tunnel} are
all USE:
net.inet.ipsec.def_policy = 1
net.inet.ipsec.esp_trans_deflev = 1
net.inet.ipsec.esp_net_deflev = 1
net.inet.ipsec.ah_trans_deflev = 1
net.inet.ipsec.ah_net_deflev = 1
#define IPSEC_LEVEL_USE 1 /* use SA if present. */
So the operative policy for AH will be USE, for packets that match an
SPD entry with level 'default', but it's the wrong USE - from
compression, rather than from the system default for AH.
If someone had such an entry with transport mode, and set
ah_trans_deflevel to REQUIRE, then their system would behave
incorrectly in that it would not send an acquire message for outgoing
packets (and drop them) when there was not already an SA.
Really this all seems a bit silly. When I put in SPD entries, they
are almost always either use (for a server that might talk to clients
with or without IPsec) or require (almost all of the time).
Did you encounter a problem, see a warning, or just notice this when
reading code? I'd be really surprised if anyone encountered incorrect
behavior - just because one needs an unnatural and hairy config to
provoke it.
--
Greg Troxel <gdt@ir.bbn.com>