'Re: iked wrongly processes traffic selectors'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    Re: iked wrongly processes traffic selectors
From:       "Nils Blomqvist" <dassies () eml ! cc>
Date:       2020-07-20 14:19:55
Message-ID: 21B7C577-39EC-48A5-89A5-EBF48C910C94 () eml ! cc
[Download RAW message or body]

On 20 Jul 2020, at 15:15, Stuart Henderson wrote:

> Moving to bugs@:
>
> In gmane.os.openbsd.misc, Anton Kasmov wrote:

>> I am using OpenBSD 6.7
>> iked does not respect mixing ports in the source and the destination 
>> of
>> traffic selectors.
>>
>> Such policy in iked.conf
>> ikev2 "epsilon" active \
>>         proto tcp \
>>         from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
>>         from aaaa:aaaa:aaaa::30 port postgresql to 
>> cccc:cccc:cccc::/48 \
>>         from aaaa:aaaa:aaaa::30 port postgresql to 
>> bbbb:bbbb:bbbb::/48 \
>>         peer d.d.d
>>
>> Produces wrong flows (specifying only destination port from first 
>> selector):
>>
>> flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type 
>> require
>> flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type 
>> require
>> flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type 
>> require
>> flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48 
>> port
>> 8000  peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 
>> *port
>> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>> flow esp out proto tcp from 2a04:5200:fff5::30 to 
>> fdd3:d128:dc2d:10::2 *port
>> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>
> Actually whatever is used as "port" on the first selector is used for 
> all
> other selectors; if there is no port on the first selector, no port is 
> used
> for any others.
>
> I had a look but I think it's beyond my yacc skills.

I reported the same bug in the beginning of 2019. Thread at
https://marc.info/?t=155091934700001&r=1&w=2. I stopped using a VPN 
solution,
but if I had to set up one today I would probably have a look at 
Wireguard.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic