system/4725: ipsec mistakenly encrypts packets not destined for ipsec

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

system/4725: ipsec mistakenly encrypts packets not destined for ipsec

Peter J. Philipp
>Number:         4725
>Category:       system
>Synopsis:       ipsec mistakenly encrypts packets not destined for ipsec
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 21 13:20:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Peter Philipp
>Release:        
>Organization:
net
>Environment:
       
        System      : OpenBSD 3.8
        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        Not sure if this is a misconfiguration or a bug, it's highly odd.
I have IPsec associations set up with ipsecadm.  Here is what they look like:

/sbin/ipsecadm new esp -enc blf -spi 1002 -dst 10.0.0.2 -src 10.0.0.1 -key #censored# -forcetunnel
/sbin/ipsecadm new esp -enc blf -spi 1003 -dst 10.0.0.1 -src 10.0.0.2 -key #censored# -forcetunnel
/sbin/ipsecadm flow -dst 10.0.0.1 -src 10.0.0.2 -proto esp -addr 10.0.0.2/32 10.
0.0.1/32 -acquire -out
/sbin/ipsecadm flow -dst 10.0.0.1 -src 10.0.0.2 -proto esp -addr 10.0.0.1/32 10.
0.0.2/32 -acquire -in
/sbin/ipsecadm flow -dst 10.0.0.1 -src 10.0.0.2 -proto esp -addr 172.16.2.0/23 1
0.0.0.1/32 -acquire -out
/sbin/ipsecadm flow -dst 10.0.0.1 -src 10.0.0.2 -proto esp -addr 10.0.0.1/32 172
.16.2.0/23 -acquire -in

Here is the list of relevant interfaces:

l0: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> mtu 33192
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:02:2d:09:4b:44
        media: IEEE802.11 autoselect (DS2)
        status: active
        ieee80211: nwid ATLAS chan 10 -12dBm (auto)
        inet 10.0.0.2 netmask 0xff000000 broadcast 10.255.255.255
        inet6 fe80::202:2dff:fe09:4b44%wi0 prefixlen 64 scopeid 0x1
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:60:08:5a:86:82
        media: Ethernet 100baseTX full-duplex
        status: no carrier
        inet 172.16.2.2 netmask 0xfffffe00 broadcast 172.16.3.255
        inet6 fe80::260:8ff:fe5a:8682%xl0 prefixlen 64 scopeid 0x2

Here is the rest of the interfaces (nonrelevant):

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:bf:70:76:87
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::250:bfff:fe70:7687%rl0 prefixlen 64 scopeid 0x3
rl1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:bf:70:76:a8
        media: Ethernet autoselect
        status: no carrier
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:11:09:cb:a6:2a
        media: Ethernet autoselect (100baseTX)
        status: no carrier
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
pfsync0: flags=0<> mtu 1364
enc0: flags=141<UP,RUNNING,PROMISC> mtu 1536
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        dev: rl0 state: session
        sid: 0xa35 PADI retries: 1 PADR retries: 0 time: 01:56:52
        groups: pppoe egress
        inet 85.75.70.247 --> 0.0.0.1 netmask 0xffffffff
        inet6 fe80::202:2dff:fe09:4b44%pppoe0 ->  prefixlen 64 scopeid 0xa

When I then run a program that binds to interface wi0 (10.0.0.2) and try to
query it from the box itself it'll try to encrypt (and rewrites!) the packets
from localhost to 10.0.0.2:

(this is the program, binds on port 53 udp on 10.0.0.2)
$ fstat |grep -i wildcard
named    wildcarddnsd  5835 root /var      20608 drwxr-xr-x   r      512
named    wildcarddnsd  5835   wd /var      20608 drwxr-xr-x   r      512
named    wildcarddnsd  5835    0 /         85977 crw--w----  rw    ttyp1
named    wildcarddnsd  5835    1 /         85977 crw--w----  rw    ttyp1
named    wildcarddnsd  5835    2 /         85977 crw--w----  rw    ttyp1
named    wildcarddnsd  5835    3 /tmp          3 -rw-------  rw        0
named    wildcarddnsd  5835    4* internet dgram udp 10.0.0.2:53
named    wildcarddnsd  5835    5* unix dgram 0xffff8000020b6280 <-> 0xffff800002034800

(this is the routing table), skipping IPv6
$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            0.0.0.1            UGS        38    78146      -   pppoe0
0.0.0.1            0.0.0.0            UH          2        0      -   pppoe0
10/8               link#1             UC          1        0      -   wi0
10.0.0.2           0:2:2d:9:4b:44     UHLc        1      103      - L lo0
61.91.150.172      0.0.0.1            UGHD        1    77610      - L pppoe0
127/8              127.0.0.1          UGRS        0        0  33192   lo0
127.0.0.1          127.0.0.1          UH          3      458  33192   lo0
172.16.2/23        link#2             UC          0        0      -   xl0
224/4              127.0.0.1          URS         0        0  33192   lo0
...
Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
10.0.0.1/32        0     10.0.0.2/32        0     0     10.0.0.1/50/acquire/in
10.0.0.1/32        0     172.16.2/23        0     0     10.0.0.1/50/acquire/in
10.0.0.2/32        0     10.0.0.1/32        0     0     10.0.0.1/50/acquire/out
172.16.2/23        0     10.0.0.1/32        0     0     10.0.0.1/50/acquire/out

(here is the dig to 10.0.0.2, first one works)
$ dig @10.0.0.2 soa atlas

; <<>> DiG 9.3.1 <<>> @10.0.0.2 soa atlas
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50933
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
...

(second dig, this one doesn't work)
pbug@neptune{19}$ dig @10.0.0.2 soa atlas
^Cpbug@neptune{20}$

Here is what it looked like on lo0:

# tcpdump -v -n -i lo0
tcpdump: listening on lo0, link-type LOOP
13:54:58.547218 10.0.0.2.6885 > 10.0.0.2.53:  [udp sum ok] 50933+ SOA? atlas. (23) (ttl 64, id 13274, len 51)
13:54:58.547308 10.0.0.2.53 > 10.0.0.2.6885:  50933*- 1/0/0 atlas. SOA[|domain] (ttl 64, id 12460, len 100)
13:55:04.620910 esp 10.0.0.1 > 10.0.0.2 spi 0x00001002 seq 11 len 72 (ttl 64, id 6641, len 92)
13:55:09.623395 esp 10.0.0.1 > 10.0.0.2 spi 0x00001002 seq 12 len 72 (ttl 64, id 13456, len 92)


And here is what it looked like on enc0:
# tcpdump -v -n -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0, link-type ENC
tcpdump: WARNING: compensating for unaligned libpcap packets
13:55:04.620856 (confidential): SPI 0x00001002: 10.0.0.1 > 10.0.0.2: 10.0.0.2.31615 > 10.0.0.2.53:  [udp sum ok] 25697+ SOA? atlas. (23) (ttl 64, id 6952, len 51) (ttl 64, id 6641, len 71, bad cksum 0!)
13:55:04.620965 (confidential): SPI 0x00001002: 10.0.0.1 > 10.0.0.2: 10.0.0.2.31615 > 10.0.0.2.53:  [udp sum ok] 25697+ SOA? atlas. (23) (ttl 64, id 6952, len 51) (ttl 64, id 6641, len 71)
13:55:09.623349 (confidential): SPI 0x00001002: 10.0.0.1 > 10.0.0.2: 10.0.0.2.31615 > 10.0.0.2.53:  [udp sum ok] 25697+ SOA? atlas. (23) (ttl 64, id 24259, len 51) (ttl 64, id 13456, len 71, bad cksum 0!)
13:55:09.623442 (confidential): SPI 0x00001002: 10.0.0.1 > 10.0.0.2: 10.0.0.2.31615 > 10.0.0.2.53:  [udp sum ok] 25697+ SOA? atlas. (23) (ttl 64, id 24259, len 51) (ttl 64, id 13456, len 71)


OK, so the packet from 10.0.0.2 to 10.0.0.2 sometimes gets encrypted with esp
in lo0 and sometimes it doesn't, also the source gets rewritten as 10.0.0.1.

It looks like a misconfiguration at first but I never specified a flow from
10.0.0.2/32 to 10.0.0.2/32.  

>How-To-Repeat:
        look above.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: