NetBSD Problem Report #17459

Received: (qmail 7743 invoked by uid 605); 2 Jul 2002 16:19:01 -0000
Message-Id: <200207021618.SAA0000300957@zel459.zel.kfa-juelich.de>
Date: Tue, 2 Jul 2002 18:18:58 +0200 (MEST)
From: M.Drochner@fz-juelich.de
Sender: gnats-bugs-owner@netbsd.org
Reply-To: M.Drochner@fz-juelich.de
To: gnats-bugs@gnats.netbsd.org
Subject: racoon(8) SPD lookup hits wrong entries
X-Send-Pr-Version: 3.95

>Number:         17459
>Category:       kern
>Synopsis:       racoon(8) SPD lookup hits wrong entries
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 02 16:20:00 +0000 2002
>Closed-Date:    
>Last-Modified:  Sat Nov 17 13:34:37 +0000 2007
>Originator:     Matthias Drochner
>Release:        NetBSD 1.6B
>Organization:
	KFA Juelich
>Environment:
System: NetBSD zelz26 1.6B NetBSD 1.6B (TEST) #23: Mon Jul 1 12:05:04 MEST 2002 drochner@zelz26:/home/drochner/netbsd/sys/arch/i386/compile/TEST i386
Architecture: i386
Machine: i386
>Description:
	After I added two rules like these as first lines to /etc/ipsec.conf:

spdadd 0.0.0.0/0 134.94.206.11 icmp -P out none;
spdadd 134.94.206.11 0.0.0.0/0 icmp -P in none;

which are supposed to allow ICMP traffic pass through unencrypted, key
negotiations stopped working. On the ISAKMP responder side, racoon generated
the following debug messages:

INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 134.94.206.1[0]<=>134.94.206.11[0]
ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec required: 0.0.0.0/0[0] 134.94.206.11/32[0] proto=any dir=out
ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder.
ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet.

This is a "leaf-node tunnel" setup where 134.94.206.1 and 134.94.206.11 are the
tunnel endpoints and 134.94.206.11 is an end node at the same time.
Authentication is done by x509 certificates.


>How-To-Repeat:
	Add the "spdadd ... icmp ... none" entries mentioned above to the SPD
and see key negotiations fail.

>Fix:
	The problem seems to be that the call to getsp_r() in
isakmp_quick.c for the inbound policy returns the "icmp" policy
entry. The ul_proto member of spidx is set to IPSEC_ULPROTO_ANY
at this point which is treated as wildcard by getsp_r().
The following patch:

*** isakmp_quick.c.~1.4.~	Tue May 21 17:21:28 2002
--- isakmp_quick.c	Tue Jul  2 14:53:47 2002
***************
*** 2011,2017 ****
--- 2011,2021 ----
  		spidx.ul_proto = IPSEC_ULPROTO_ANY;

  	/* get inbound policy */
+ #if 0
  	sp_in = getsp_r(&spidx);
+ #else
+ 	sp_in = getsp(&spidx);
+ #endif
  	if (sp_in == NULL) {
  		if (iph2->ph1->rmconf->gen_policy) {
  			plog(LLV_INFO, LOCATION, NULL,
***************
*** 2045,2051 ****
--- 2049,2059 ----
  	spidx.prefs = spidx.prefd;
  	spidx.prefd = pref;

+ #if 0
  	sp_out = getsp_r(&spidx);
+ #else
+ 	sp_out = getsp(&spidx);
+ #endif
  	if (!sp_out) {
  		plog(LLV_WARNING, LOCATION, NULL,
  			"no outbound policy found: %s\n",

fixes it for me.
(The second hunk is not strictly necessary.)

[begin of speculation section]

My patch requires that
-SPD entries are symmetrical for "in" and "out", and
-there is always an entry with "upper protocol" set to "any".

This is certainly not ideal, but the existing code is likely
to fail too if this is not given, at least look up different
SPD entries than the kernel, which leads to problems if
the "struct secpolicy" parts differ.

Imho the root of the problem is that racoon doesn't have
the same information like the kernel - the original
"upper proto" and "port" get lost in the "pfkey" layer.
See sys/netkey/key.c:key_acquire().
>Release-Note:
>Audit-Trail:

From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
To: M.Drochner@fz-juelich.de
Cc: sakane@kame.net
Subject: Re: kern/17459: racoon(8) SPD lookup hits wrong entries 
Date: Wed, 03 Jul 2002 01:46:49 +0900

 >>Synopsis:       racoon(8) SPD lookup hits wrong entries

 	we (KAME) have discussed this issue recently (a couple of weeks ago)
 	and will update the portion of the code, hopefully in not too long time.
 	sakane got his first child 2 months ago so he's very busy (as a
 	novice father), sorry for the possible delays in fixes ;-)

 itojun
Responsible-Changed-From-To: kern-bug-people->itojun 
Responsible-Changed-By: itojun 
Responsible-Changed-When: Wed Jul 3 17:43:02 PDT 2002 
Responsible-Changed-Why:  
kame 
Responsible-Changed-From-To: itojun->kern-bug-people
Responsible-Changed-By: wiz@netbsd.org
Responsible-Changed-When: Sat, 17 Nov 2007 13:34:37 +0000
Responsible-Changed-Why:
Back to role account.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.