[strongSwan] AES256GCM128 implementation does not discard the packet discard the packet if the Pad Length and Next Header field NOT right aligned within 4-byte word.
sankarshan deb
sankarshandeb at gmail.com
Wed Aug 17 14:29:36 CEST 2011
Hi,
I have configured StrongSwan with IPSEC ESP using AES-GCM256.
Sent an ICMP echo request in the secured interface with misaligned
data.
IPSec should drop the packet.But it is forwarding the ICMP packet
on non-secured interface.
My ipsec.conf:
conn net-net
type=tunnel
#type=transport
ike=3des-sha1-modp1024
esp=aes256gcm128-modp2048
#esp=3des-sha1
left=10.1.1.10
# leftid=10.1.1.10
leftsubnet=20.1.1.30/32
#leftid=@sun.strongswan.org
leftfirewall=yes
right=10.1.1.30
# rightid=10.1.1.30
rightsubnet=10.1.1.30/32
#rightid=@moon.strongswan.org
auto=add
authby=secret
Original icmp packet:(Plain text)
Ip HDR(src:10.1.1.30,dst:20.1.1.30)(20 bytes)
ICMP HDR(8byte)
ICMP DATA(44 byte)
Packet on secured interface: 10.1.1.30->10.1.1.10
Outer IP HDR(dst ip:10.1.1.10,src ip:10.1.1.30)(20 byte)
Security Parameter Index = 0xC214E310 (4byte)
Sequence Number = 0x00000001 (4byte)
IV (8 byte)
Cipher text(72 + 2(next header + padlen) + 2(padding) + 1( to make
the data misaligned in 4 byte boundary)) (Total 77)
Auth data(16 byte)
Strongswan Ipsec implementation should discard the packet as the Pad
Length and Next Header field NOT right aligned within 4-byte word.
But I received the original icmp packet on the plaintext interface
(10.1.1.30->20.1.1.30)
Please let me know the reason.
Thanks and Regards
Sankarshan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110817/713f3f9a/attachment.html>
More information about the Users
mailing list