IPsec AH tunneling pakcet mis-handling?

[blue]

Sorry, maybe my words make you confused.

What I meant is "AH tunnel" only, and the code base is FAST_IPSEC, which 
is currently IPSEC in FreeBSD-7.0.

BR,
Yi-Wen

Bjoern A. Zeeb wrote:

> On Wed, 1 Aug 2007, blue wrote:
>
> Hi,
>
>
>> Dear all:
>>
>> I do not know the purpose of the following codes in the very 
>> beginning in ip6_input():
>>
>> #ifdef IPSEC
>>   /*
>>    * should the inner packet be considered authentic?
>>    * see comment in ah4_input().
>>    */
>>   if (m) {
>>       m->m_flags &= ~M_AUTHIPHDR;
>>       m->m_flags &= ~M_AUTHIPDGM;
>>   }
>> #endif
>>
>> Consider the case: a packet is encrypted as AH tunneled, and FreeBSD 
>> is the end point of the tunnel. After it tore off the outer IPv6 
>> header, the mbuf will be inserted to NETISR again. Then ip6_forward() 
>> will be called again to process the packet. However, in 
>> ipsec6_in_reject(), the packet's source and destination will match 
>> the SP entry. Since ip6_input() has truned off the flag M_AUTHIPHDR 
>> and M_AUTHIPDGM, the packet will be dropped.
>>
>> I don't think with the codes AH tunnel could work properly.
>
>
> I was pointed at this.
>
> I am a bit unsure about your setup as you are talking about "AH
> tunneled" and "encrypted" while at the end it's "AH tunnel" only.
> So, are you using IPsec tunnel mode with ESP and AH or just AH, or ...?
>
> Can you describe the setup this would be a problem in detail and maybe
> file a PR so this won't be lost again.
>
> We've got other ESP+AH+IPv6 problems pending like PR kern/121373 and I
> could look into both at the same time I guess.
>
> PS: I am assuming this was with (Fast) IPsec, not KAME IPsec
> implementation? The date was too close to the change, so I thought it
> might be better asking;-)
>
> Thanks
> /bz
>