** Changed in: linux (Ubuntu Bionic)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1876982
Title:
tunnels over IPv6 are unencrypted when using IPsec
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Bug description:
[Impact]
When tunnels are configured over IPv6 using a xfrm policy, it's ignored. That
means data will be unencrypted when it shouldn't.
[Test case]
Launch a VM with the given kernel and monitor its network link on the host
with:
tcpdump -n -i virbr0 ip6 and port 4789
In the guest, set up a tunnel using an IPv6 address:
ip link add type vxlan id 5 remote fd00:cafe::2 dstport 4789
When setting the link up, observe packets being output on the host side:
ip link set vxlan0 up
Set the link down, and add a xfrm policy to block output to that given IPv6
address:
ip link set vxlan0 down
ip xfrm policy add dst fd00:cafe::2 dir out action block
Check that using ping won't work with Operation not permitted:
ping6 fd00:cafe::2
connect: Operation not permitted
Set the vxlan link up and watch that no packets appear on tcpdump:
ip link set vxlan0 up
[Regression potential]
Tunnels like VXLAN, GENEVE, etc, will stop to send. The test has shown that
it still sends at least when no xfrm policy is configured.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1876982/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
