IPv6 Linklocal address and IPSec bug

From: <Sebastien.Josset(at)space.alcatel.fr>
Date: Mon Sep 15 2003 - 09:56:46 EDT

Hi,

I've found and fixed a small bug in OpenBSD 3.3 Release IPv6/IPSec kernel stack. Cyphered IPv6 packets with link local scope are dropped instead of beeing uncyphered.
This is due to an internal hack for link local IPv6 address: For unicast link local address bytes
from 10 to 63 must be set to 0. So developpers use them to store the network interface index.

netinet6/ip6_input.c:345 : What is done

     if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
          ip6->ip6_dst.s6_addr16[1]
               = htons(m->m_pkthdr.rcvif->if_index);

the destination address has been modified and doesn't match no more with IPSec Security Association.
When searching for the associated SA we need to put it to 0 again.

netinet/ipsec_input.c:182

     default:
          DPRINTF(("ipsec_common_input(): unsupported protocol "
              "family %d\n", af));
          m_freem(m);
          IPSEC_ISTAT(espstat.esps_nopf, ahstat.ahs_nopf,
              ipcompstat.ipcomps_nopf);
          return EPFNOSUPPORT;
     }

+    if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))

+         ip6->ip6_dst.s6_addr16[1]

+              = 0;

     s = spltdb();
     tdbp = gettdb(spi, &dst_address, sproto);

I found it while testing IPv6/IPSec/Multicast.

Best regards,

Sébastien Josset
ALCATEL SPACE
Research Department/Advanced Telecom Satellite Systems Tel : +33 (0)53435 5104 / Fax : +33 (0)53435 5560 Porte : W218 / E-Mail : sebastien.josset@space.alcatel.fr Received on Mon Sep 15 10:04:56 2003