Subject: ipsec policy enforcement
To: None <,>
From: Jun-ichiro itojun Hagino <>
List: tech-security
Date: 03/01/2001 18:33:50
	hello, this is a warning for those who are using inbound
	policy for ipsec transport mode.

	it seems that we needed more ipsec policy enforcement points in the
	kernel.  for example, if you put the following policy:
		spdadd A B any -P in ipsec esp/transport//require;
	transport layer other than icmp/tcp/udp/rip may look at the packet
	even if there's no ESP header is present.

	if you are using ipsec to protect icmp/tcp/udp traffic, you are okay.
	the problem matters only when you are trying to enforce ipsec on
	other protocols (for example, to protect gif tunnel pairs).

	i'm working hard to fix the gotcha.  if you are using inbound policy
	for ipsec transport mode, please try to use packet filters as well
	to drop any other problematical packets.