[strongSwan] AES256GCM128 implementation does not discard the packet discard the packet if the Pad Length and Next Header field NOT right aligned within 4-byte word.

Andreas Steffen andreas.steffen at strongswan.org
Wed Aug 17 16:32:43 CEST 2011 

Hello Sankarshan,

you should post this on the netdev at vger.kernel.org mailing list
since this is an IPsec stack problem of the Linux kernel and
doesn't have anything todo with strongSwan which is a userland
IKE daemon.

Best regards

Andreas


On 08/17/2011 02:29 PM, sankarshan deb wrote:
> Hi,
> 
>           I have configured StrongSwan with IPSEC ESP using AES-GCM256.
>           Sent an ICMP echo request in the secured interface with
> misaligned data.
>           IPSec should drop the packet.But it is forwarding the ICMP
> packet on non-secured interface.
>          
> 
>          My ipsec.conf:
> 
>    conn net-net
>         type=tunnel
>         #type=transport
>         ike=3des-sha1-modp1024
>         esp=aes256gcm128-modp2048
>         #esp=3des-sha1
>         left=10.1.1.10
>       #  leftid=10.1.1.10
>         leftsubnet=20.1.1.30/32 <http://20.1.1.30/32>
>         #leftid=@sun.strongswan.org <http://sun.strongswan.org>
>         leftfirewall=yes
>         right=10.1.1.30
>       #  rightid=10.1.1.30
>         rightsubnet=10.1.1.30/32 <http://10.1.1.30/32>
>         #rightid=@moon.strongswan.org <http://moon.strongswan.org>
>         auto=add
>         authby=secret
> 
> 
>        Original icmp packet:(Plain text)
>        Ip HDR(src:10.1.1.30,dst:20.1.1.30)(20 bytes)
>        ICMP HDR(8byte)
>        ICMP DATA(44 byte)      
> 
>        Packet on secured interface: 10.1.1.30->10.1.1.10
> 
>        Outer IP HDR(dst ip:10.1.1.10,src ip:10.1.1.30)(20 byte)
>        Security Parameter Index = 0xC214E310 (4byte)
>        Sequence Number          = 0x00000001 (4byte)
>        IV (8 byte)
>        Cipher text(72 + 2(next header + padlen) + 2(padding) + 1( to
> make the data misaligned in 4 byte boundary)) (Total 77)
>        Auth data(16 byte)
> 
> 
>        Strongswan Ipsec implementation should discard the packet as the
> Pad Length and Next Header field NOT right aligned within 4-byte word.
> 
>        But I received the original icmp packet on the plaintext
> interface (10.1.1.30->20.1.1.30)
>      
>        Please let me know the reason.
> 
> Thanks and Regards
> Sankarshan
>       
> 
> 
>         
> 
> 
> 
>               
>              
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list