ipsec foils traceroute on gre/gif
Nicolas DEFFAYET
nicolas-ml at deffayet.com
Wed Feb 19 11:23:11 UTC 2014
On Tue, 2014-02-18 at 13:26 -0500, David DeSimone wrote:
> My understanding of this issue is that replying with an ICMP message for traceroute carries the risk of violating security policy.
>
> When an ICMP Unreachable packet is generated, the first 64 octets in the packet are copied into the reply. If the packet was originally encrypted with IPSEC, those octets were never seen unencrypted on the wire. If the ICMP Unreachable were permitted to be generated and sent, it could very well reveal the unencrypted IPSEC packet contents on the wire, because the source/destination IP's of the ICMP message no longer matches SPD's.
>
> Thus the conservative decision in the kernel is to drop the TTL-exceeded packet coming from IPSEC, with no reply.
>
> In other words, "working as intended."
Is it possible to add a sysctl for turn on/off this per interface or
it's too complex ?
--
Nicolas DEFFAYET
More information about the freebsd-net
mailing list