FreeBSD 6.3 gre and traceroute
Stephen Clark
sclark46 at earthlink.net
Mon Nov 17 06:11:27 PST 2008
Bjoern A. Zeeb wrote:
> On Fri, 14 Nov 2008, Robert Noland wrote:
>
> Hi,
>
>>>>> Also just using gre's without the
>>>>> underlying ipsec tunnels seems to
>>>>> work properly.
>
> The reason for this to my knowledge is:
> http://www.kame.net/dev/cvsweb2.cgi/kame/freebsd2/sys/netinet/ip_icmp.c#rev1.4
>
>
> or looking at recent freebsd code:
> http://fxr.watson.org/fxr/source/netinet/ip_icmp.c#L164
> Look for M_DECRYPTED.
>
> Now what happens in your case:
>
> you receive an IPSec ESP packet, which gets decryped, that sets
> M_DECRYPTED on the mbuf passes through various parts, gets up to gre,
> gets decapsulated is an IP packet (again) gets to ip_input, TTL
> expired, icmp_error and it's still the same mbuf that originally got
> the M_DECRYPTED set. Thus the packets is just freed and you never see
> anything.
>
> So thinking about this has nothing to do with gre (or gif for example
> as well) in first place. It's arguably that passing it on to another
> decapsulation the flag should be cleared when entering gre() for
> example.
>
> The other question of course is why we do not send the icmp error back
> even on plain ipsec? Is it because we could possibly leak information
> as it's not caught by the policy sending it back?
>
> /bz
>
Hi Bjoern,
Thanks for you insight. I see in the ip_icmp.c code what you are talking about.
Thanks,
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
More information about the freebsd-net
mailing list