[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NonConforming IPsec implementation from FreeBSD(Kame) IPsec?
Recently while interopertaing Nokia IPxxx boxes' IPsec with FreeBSD Kame IPsec
we found problems with AH, (while Nokia interoperated with Cisco and Win2k for all modes).
Looking at the Kame code there are following problems:
(1) for IPv4 mutable fields TOS, Flags, Fragment offset are not zeroed out before
calculating ICV like RFC 2402 says.
(2) AH tunnel mode is not supported.
Even though the code is there, AH tunnel mode is switched off stating that we
cannot consider the inner IP packet as really authenticated, as it could have been
tampered with between the host and the tunnel endpoint. It is just the outer IP packet
which can be considered authenticated.
Should we make an implementation un-interoperable because of this concern?
Interestingly, AH tunnel for IPv6 still works, despite an attempt to switch it off, because
of the way SPD for IPv6 case is setup.!!
I think for such widely distributed software, we should correct above problems. Could please
somebody from Kame comment/take note?
Thanks,
Atul