tcp/ip stack sending icmp "ttl exceeded in traffic" back
through gre \w ipsec-esp encryption tunnels.
David DeSimone
fox at verio.net
Tue Mar 22 05:38:26 UTC 2011
Andrei Manescu - Ivorde <andrei.manescu at ivorde.ro> wrote:
>
> Problem: RouterA and RouterB in the following
> diagram are FreeBSD 6.4-STABLE and 7.4-STABLE running a gre tunnel and
> ipsec transport mode encryption on top of it.
>
> None of them send an icmp
> error "TTL Exceeded in traffic" when the TTL of the packet reaches 0 after
> they decrement it. Code:
>
> hostA----RouterA--GRE-inside-IPSEC/ESP/transport---RouterB---hostB
>
> Packets
> sent from hostA to hostB with a TTL2 that should have an ICMP "TTL
> exceeded in traffic" returned by RouterB have no effect.
Isn't this by design?
An ICMP reply might be sent to an unrelated router hop, meaning there is
no security association for it. Since that ICMP reply will contain the
the header of the expired packet, sending that reply will take a packet
that was encrypted, and send part of it back, unencrypted. This could
potentially provide an attacker with some known plaintext with which to
attack your VPN's encryption keys.
--
David DeSimone == Network Admin == fox at verio.net
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
More information about the freebsd-net
mailing list