Subject: ipsec policy enforcement
To: None <email@example.com, firstname.lastname@example.org>
From: Jun-ichiro itojun Hagino <email@example.com>
Date: 03/01/2001 18:33:50
hello, this is a warning for those who are using inbound
policy for ipsec transport mode.
it seems that we needed more ipsec policy enforcement points in the
kernel. for example, if you put the following policy:
spdadd A B any -P in ipsec esp/transport//require;
transport layer other than icmp/tcp/udp/rip may look at the packet
even if there's no ESP header is present.
if you are using ipsec to protect icmp/tcp/udp traffic, you are okay.
the problem matters only when you are trying to enforce ipsec on
other protocols (for example, to protect gif tunnel pairs).
i'm working hard to fix the gotcha. if you are using inbound policy
for ipsec transport mode, please try to use packet filters as well
to drop any other problematical packets.