iked installs unexpected flows with IPv6 address pool

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

iked installs unexpected flows with IPv6 address pool

Chuck Zmudzinski
Synopsis: iked does not install the IPv6 flow specified in iked.conf

Category: system

Environment:
     System      : OpenBSD 6.6
     Details     : OpenBSD 6.6-current (GENERIC.MP) #24: Sun Mar  1
15:34:25 MST 2020
  [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

     Architecture: OpenBSD.amd64
     Machine     : amd64

Description:
             When specifying an IPv6 address pool for IKEv2 clients
using the
config option in iked.conf with the address/prefix format, and the
priefix is
larger than 96 so it specifies an address pool smaller than a 32-bit space,
and the flow for the client is ::/0 in iked.conf, the expected behavior is
to install a flow and lease an address to the client from within the
address
range specified by the network and mask, as it does correctly for IPv4
pools,
but not for IPv6 pools.

How-To-Repeat:
               Here is a sample iked.conf file that causes the problem.
Presuming certificates and addresses are configured correctly, make a
connection  from an IKEv2 Windows, iOS or macOS client and view the log in
/var/log/daemon.

Sample iked.conf:

ikev2 'vpn-server' passive esp \
         from ::/0 to ::/0 \
         local 192.168.1.253 peer any \
         srcid vpn.example.com \
         rsa \
         config address 2001:a5e4:1f3:5a39:298:f49c:b058:873c/126 \
         config name-server 2001:a5e4:1f3:5a39::1 \
         tag "ROADW"

We expect an address pool of two usable IPv6 addresses with this
configuration:
2001:a5e4:1f3:5a39:298:f49c:b058:873d and
2001:a5e4:1f3:5a39:298:f49c:b058:873e

Instead, we see this in the log with a connection from an IKEv2 client:

Mar 14 14:20:28 vpn iked[12829]: spi=0x4ca11af80a2f2193:
ikev2_childsa_enable:
loaded flows: ESP-::/0=2001:a5e4:1f3:5a39:298:f49c:0:1/0(0)

We should see something like this in the log:

Mar 14 14:20:28 vpn iked[12829]: spi=0x4ca11af80a2f2193:
ikev2_childsa_enable:
loaded flows: ESP-::/0=2001:a5e4:1f3:5a39:298:f49c:b058:873d/0(0)

Fix:
         I have a simple patch that fixes this. It implements the same
arithmetic for IPv6 that is used for the IPv4 case four lines above the
patched
code:

--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -6092,7 +6092,9 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa
*sa, sa_family_t family)
              break;
          case AF_INET6:
              memcpy(in6, cfg6, sizeof(*in6));
-            nhost = htonl(host);
+            memcpy(&nhost, &cfg6->sin6_addr.s6_addr[12],
+                sizeof(uint32_t));
+            nhost = (nhost & mask) | htonl(host);
              memcpy(&in6->sin6_addr.s6_addr[12], &nhost,
                  sizeof(uint32_t));
              break;

dmesg:
OpenBSD 6.6-current (GENERIC.MP) #24: Sun Mar  1 15:34:25 MST 2020
[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3196055552 (3047MB)
avail mem = 3086667776 (2943MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfc001000 (12 entries)
bios0: vendor Xen version "4.4.1" date 09/20/2017
bios0: Xen HVM domU
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET WAET SSDT SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 48 pins, remapped
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4590S CPU @ 3.00GHz, 2999.52 MHz, 06-3c-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,ABM,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4590S CPU @ 3.00GHz, 2999.20 MHz, 06-3c-03
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,ABM,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
acpihpet0 at acpi0: 62500000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
cpu0: using Broadwell MDS workaround
pvbus0 at mainbus0: Hyper-V 0.0, Xen 4.4
xen0 at pvbus0: features 0x705, 32 grant table frames, event channel 4
xbf0 at xen0 backend 0 channel 6: disk
scsibus1 at xbf0: 2 targets
sd0 at scsibus1 targ 0 lun 0: <Xen, qdisk xvda 5171, 0000>
sd0: 750MB, 512 bytes/sector, 1536000 sectors
xbf1 at xen0 backend 0 channel 7: disk
scsibus2 at xbf1: 2 targets
sd1 at scsibus2 targ 0 lun 0: <Xen, qdisk xvdb 5172, 0000>
sd1: 2000MB, 512 bytes/sector, 4096000 sectors
xbf2 at xen0 backend 0 channel 8: cdrom
scsibus3 at xbf2: 2 targets
cd0 at scsibus3 targ 0 lun 0: <Xen, qdisk xvdc 5174, 0000>
"vkbd" at xen0: device/vkbd/0 not configured
xnf0 at xen0 backend 0 channel 9: address 00:16:3e:27:2c:ac
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus4 at atapiscsi0: 2 targets
cd1 at scsibus4 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.1.> removable
cd1(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus
disabled
xspd0 at pci0 dev 2 function 0 "XenSource Platform Device" rev 0x01
vga1 at pci0 dev 3 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus5 at vscsi0: 256 targets
softraid0 at root
scsibus6 at softraid0: 256 targets
root on sd0a (c8a8ce07a31e0c1a.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown

usbdevs:
usbdevs: no USB controllers found

Reply | Threaded
Open this post in threaded view
|

Re: iked installs unexpected flows with IPv6 address pool

Tobias Heider-2
Thank you for the detailed report!
Fix committed.

Reply | Threaded
Open this post in threaded view
|

Re: iked installs unexpected flows with IPv6 address pool

Chuck Zmudzinski
Thank you also for the quick fix!

On Mon, Mar 16, 2020 at 5:32 AM Tobias Heider <[hidden email]>
wrote:

> Thank you for the detailed report!
> Fix committed.
>