Re: UDP_ENCAP_ESPINUDP_NON_IKE

To: Maxime Villard <max%m00nbsd.net@localhost>, tech-net%NetBSD.org@localhost
Subject: Re: UDP_ENCAP_ESPINUDP_NON_IKE
From: Chuck Zmudzinski <frchuckz%gmail.com@localhost>
Date: Tue, 22 May 2018 12:07:06 -0400

On 5/21/2018 1:07 PM, Maxime Villard wrote:

Le 21/05/2018 à 17:47, Chuck Zmudzinski a écrit :
We would have to configure a remote host that uses the non-IKEmarkers and
doesn't use the RFC to test the way the kernel currently deals with that
case.
Yes, and that's a case that we are not supposed to support. Just likewe'renot supposed to support all the drafts that led to the many RFCsavailable
out there.
So I suggest we disable ENABLE_NATT_00. This will disable draft-00,in such away that racoon will never use non-IKE markers. Then we removeESPINUDP_NON_IKE
from the kernel.
If we do this, we will find out if the old code was working andsomeone wasrelying on it, because this will break it and that person will file abug
report!
What? The kernel code doesn't work in the first place.
Disabling NATT_00 on racoon under NetBSD does not remove a feature,since it
already doesn't work on NetBSD.

To me the current code in racoon is wrong, it shouldn't automatically use
non-IKE markers when there is no NAT-T.


Yest, that is definitely a bug in the current code in racoon.



And no, there won't be a bug report, for the same reason we didn't get a
report in the last 13 years about broken non-IKE markers in the kernel.


I agree.

(Well, there was one guy that figured this out a few months ago, andit was
you.)

I actually have been working on this for several years and I forgetexactly what prompted me to post about this problem to the mailing listsa few months ago, but I am pleased that we are getting this fixed in NetBSD!

Can you recompile racoon without ENABLE_NATT_00 and test again? Youshould beable to do so by uncommenting the #define in/src/lib/libipsec/config.h.
note: I meant _commenting_, as you probably understood.
Maxime
It looks to me like that will work. I will try it when I get achance. I canmost quickly test it on NetBSD 7.x because that is the version I amusing in
my environment, and if that works as expected I will also test it with
NetBSD 8 and current and let you know what I find.
Thanks,
Maxime

This worked exactly as expected on netbsd-7. I did not test a fullbuild, but it compiled and ran exactly as expected when I rebuilt in/src/lib/libipsec and in /src/usr.sbin/racoon on netbsd-7 aftercommenting out the #define of ENABLE_NATT_00 in/src/lib/libipsec/config.h and installing the new racoon andlibipsec.so.3.0 in my netbsd-7 system that is modified with a kernelthat patched the UDP_ENCAP_ESPINUDP_NON_IKE code to deal with mymisconfigured racoon configuration.


Results as reported by the racoon log:

Before patching racoon:

May 20 21:06:12 ave racoon: INFO: respond new phase 1 negotiation:192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]

May 20 21:06:12 ave racoon: INFO: begin Identity Protection mode.
May 20 21:06:12 ave racoon: INFO: received Vendor ID: RFC 3947

May 20 21:06:12 ave racoon: INFO: received Vendor ID:draft-ietf-ipsec-nat-t-ike-02May 20 21:06:12 ave racoon: INFO: received Vendor ID:draft-ietf-ipsec-nat-t-ike-02May 20 21:06:12 ave racoon: INFO: received Vendor ID:draft-ietf-ipsec-nat-t-ike-00

May 20 21:06:12 ave racoon: INFO: received Vendor ID: DPD

May 20 21:06:12 ave racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-Tversion: RFC 3947

After patching racoon by commenting out the #define of ENABLE_NATT_00 in/src/lib/libipsec/config.h:

May 20 22:10:08 ave racoon: INFO: respond new phase 1 negotiation:192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]

May 20 22:10:08 ave racoon: INFO: begin Identity Protection mode.

May 20 22:10:08 ave racoon: INFO: received broken Microsoft ID: MS NT5ISAKMPOAKLEY

May 20 22:10:08 ave racoon: INFO: received Vendor ID: RFC 3947

May 20 22:10:08 ave racoon: INFO: received Vendor ID:draft-ietf-ipsec-nat-t-ike-02

May 20 22:10:08 ave racoon: INFO: received Vendor ID: FRAGMENTATION

May 20 22:10:08 ave racoon: [xxx.xxx.xxx.xxx] INFO: Selected NAT-Tversion: RFC 3947

Vendor ID draft-ietf-ipsec-nat-t-ike-00 is no longer received from theremote host, as expected.

I also edited my kernel to report if it is using theUDP_ENCAP_ESPINUDP_NON_IKE branch or the UDP_ENCAP_ESPINUDP branch inudp_usrreq.c. As expected, now I get this in /var/log/messages:


May 20 21:13:53 ave /netbsd: udp4_espinudp: UDP_ENCAP_ESPINUDP is set.

It is working correctly now because racoon is not incorrectly tellingthe kernel it is using NON_IKE markers.

Things get a little more complicated for the case with the patchedracoon and racoon.conf configured incorrectly. To remind you, theincorrect configuration was that I had the wrong statement in the listendirective of racoon.conf for port 4500. I used isakmp instead ofisakmp_natt in the listen directive.

As I predicted, it does not work in this case, because in this case,racoon is configured to not do any version of ESP in UDP, so after phase1 and phase 2 are negotiated successfully and the ESPINUDP packets startcoming from the remote host, the kernel tries to do normal UDPprocessing on them instead of decapsulating them and sending them forprocessing by ipsec. The racoon log indicates the kernel sends the ESPin UDP back to racoon which complains about packets being too big andafter a while the connection attempt fails and the remote hosteventually terminates the connection with an error.

Is this a bug? Well, on one hand, we should not support a misconfiguredsetup, so it is correct for the connection to fail. On the other hand, Iwould argue that it is still a bug in racoon to try to negotiate aconnection based on RFC 3947 and 3948 and actually let the connectionget to the point where the remote host is sending us ESP in UDP packetsthat we cannot handle correctly. In this case, I think the correctbehavior is for racoon to detect that it is not configured correctly tosupport RFC 3947 and 3948 at startup and at least log a warning or evenexit with an error and report that racoon is not configured correctly tohandle NAT-T connections using RFC 3947 and 3948. I am working on apatch to racoon to do that. Even this patched racoon does not providemuch useful information in its log messages to assist in the debuggingprocess. This is why no one has solved this problem for the last 13 years.

Thank you for all your help. I am glad to help get support for thisfeature in NetBSD.


Chuck

Follow-Ups:
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski

References:
- UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard

Prev by Date: Re: Routing between two internal networks
Next by Date: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Previous by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Next by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Indexes:

Home | Main Index | Thread Index | Old Index