HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS275133

Do not use xform_ipip as decapsulation fallback.
rS275133
Actions

Description

Do not use xform_ipip as decapsulation fallback.

xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.

Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.

Differential Revision: https://reviews.freebsd.org/D1220
MFC after: 1 month
Sponsored by: Yandex LLC

Details

Provenance
aeAuthored on
Parents
rS275132: Update build for LLDB snapshot at upstream rev 216948
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (4)

PathSize
head/
sys/
netipsec/

rS275133

View Options

head/ObsoleteFiles.inc

Loading...
View Options

head/sys/netipsec/ipip_var.h

Loading...
View Options

head/sys/netipsec/xform.h

Loading...
View Options

head/sys/netipsec/xform_ipip.c

Loading...