Begin forwarded message:
Date: Wed, 06 Sep 2017 10:18:33 +0000 From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 196839] New: use_time of IPsec policy is updated even when receiving error packets. https://bugzilla.kernel.org/show_bug.cgi?id=196839 Bug ID: 196839 Summary: use_time of IPsec policy is updated even when receiving error packets. Product: Networking Version: 2.5 Kernel Version: 4.8.0 Hardware: Intel OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: step...@networkplumber.org Reporter: cche...@gmail.com Regression: No Normally the use_time of policy in SPD is updated if the policy is matched by incoming or outgoing IP packets. For protect policy, it is updated if ESP/AH packets are sent or received. The use_time of SPD_IN policy used by IKE implementation like strongSwan to check whether there is inbound traffic, thus determine whether it is necessary to send DPD(dead peer detection, rfc3706) request to check liveness of IPsec peer. In case an unprotected packet is received but matches the IPsec SPD IN protect policy, the packet will be discarded and the error counter XfrmInTmplMismatch in /proc/net/xfrm_stat is incremented. But in such error/malicious case, the use_time of SPD IN policy is also updated. This cause strongSwan to mistakenly regard that the policy is in use and not to trigger DPD request even when it should. In short, this is a security hole in kernel and could lead to DoS attack on IPsec gateway running on Linux. -- You are receiving this mail because: You are the assignee for the bug.