diff options
| author | ume <ume@FreeBSD.org> | 2001-06-27 19:41:20 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2001-06-27 19:41:20 +0000 |
| commit | 3abcb6040a85956b85cd757f6fe2c56d55fc6f9b (patch) | |
| tree | 21d72f73f878fe3c4327721a7bd709e42b8de830 /share | |
| parent | 6c95672334daef1917a52fd88dc5afc0b4aba788 (diff) | |
| download | FreeBSD-src-3abcb6040a85956b85cd757f6fe2c56d55fc6f9b.zip FreeBSD-src-3abcb6040a85956b85cd757f6fe2c56d55fc6f9b.tar.gz | |
clarify problem with inbound AH.
spdadd A B -P in ipsec esp/tunnel/C-D/use ah/tunnel/C-D/require;
does not work due to 1-bit validation bit we are using with inbound
policy checking.
Submitted by: itojun
Obtained from: KAME
MFC after: 1 week
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man4/ipsec.4 | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index d9502e6..ab09129 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,5 +1,5 @@ .\" $FreeBSD$ -.\" $KAME: ipsec.4,v 1.15 2001/04/05 01:00:45 itojun Exp $ +.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. .\" All rights reserved. @@ -61,7 +61,7 @@ and protects it from intermediate alteration or impersonation, by attaching cryptographic checksum computed by one-way hash functions. .Nm has two operation modes: transport mode and tunnel mode. -Transport mode is for protecting peer-to-peer commuication between end nodes. +Transport mode is for protecting peer-to-peer communication between end nodes. Tunnel mode includes IP-in-IP encapsulation operation and is designed for security gateways, like VPN configurations. .\" @@ -294,15 +294,26 @@ The IPsec support is subject to change as the IPsec protocols develop. There is no single standard for policy engine API, so the policy engine API described herein is just for KAME implementation. .Pp -AH tunnel may not work as you might expect. -If you configure +AH and tunnel mode encapsulation may not work as you might expect. +If you configure inbound .Dq require -policy against AH tunnel for inbound, tunnelled packets will be rejected. -This is because AH authenticates encapsulating +policy against AH tunnel or any IPsec encapsulating policy with AH +.Po +like +.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require +.Pc , +tunnelled packets will be rejected. +This is because we enforce policy check on inner packet on reception, +and AH authenticates encapsulating .Pq outer packet, not the encapsulated .Pq inner -packet. +packet +.Po +so for the receiving kernel there's no sign of authenticity +.Pc . +The issue will be solved when we revamp our policy engine to keep all the +packet decapsulation history. .Pp Under certain condition, truncated result may be raised from the kernel |
