[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NonConforming IPsec implementation from FreeBSD(Kame) IPsec?

To: <ipsec@lists.tislabs.com>
Subject: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
From: Atul.Sharma@nokia.com
Date: Thu, 13 Jun 2002 10:59:55 -0400
Cc: <DG.IPD-IPSEC@nokia.com>, <ipsec-project@iprg.nokia.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcIS6vqhyJ1iocmtSpik7noSPx9LBQ==
Thread-Topic: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?


Recently while interopertaing Nokia IPxxx boxes' IPsec with FreeBSD Kame IPsec
we found problems with AH, (while Nokia interoperated with Cisco and Win2k for all modes). 
Looking at the Kame code there are following problems:

	(1) for IPv4 mutable fields TOS, Flags, Fragment offset are not zeroed out before
	     calculating ICV like RFC 2402 says. 

	(2) AH tunnel mode is not supported. 

	    Even though the code is there, AH tunnel mode is switched off stating that we 
	    cannot consider the inner IP packet as really authenticated, as it could have been 
	    tampered with between the host and the tunnel endpoint. It is just the outer IP packet 
	    which can be considered authenticated. 
	
	    Should we make an implementation un-interoperable because of this concern?

	    Interestingly, AH tunnel for IPv6 still works, despite an attempt to switch it off, because
	    of the way SPD for IPv6 case is setup.!!

I think for such widely distributed software, we should correct above problems. Could please
somebody from Kame comment/take note?

Thanks,
Atul

Follow-Ups:
- Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
  - From: itojun@iijlab.net

Prev by Date: Re: Son of IKE: A proposal for moving forward
Next by Date: Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Prev by thread: I-D ACTION:draft-ietf-ipsec-udp-encaps-03.txt
Next by thread: Re: NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Index(es):
- Date
- Thread