diff options
author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2001-06-24 22:11:49 +0000 |
---|---|---|
committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 2001-06-24 22:11:49 +0000 |
commit | 7ddf298b7352a83051ae6a4cede70b23123c4511 (patch) | |
tree | 3105fc77c430aa0b336d0dae7271988731ea1b06 | |
parent | 4179bb3888461061584858ba18408cc139c23a7e (diff) |
Old M of mine, uncovered by the recent dhcpd update: Bypass IPsec in all
DHCP traffic.
-rw-r--r-- | usr.sbin/dhcp/common/socket.c | 11 | ||||
-rw-r--r-- | usr.sbin/dhcp/dhclient/dhclient.8 | 4 | ||||
-rw-r--r-- | usr.sbin/dhcp/relay/dhcrelay.8 | 8 | ||||
-rw-r--r-- | usr.sbin/dhcp/server/dhcpd.8 | 4 |
4 files changed, 27 insertions, 0 deletions
diff --git a/usr.sbin/dhcp/common/socket.c b/usr.sbin/dhcp/common/socket.c index 03aac4a4a9f..02049944dde 100644 --- a/usr.sbin/dhcp/common/socket.c +++ b/usr.sbin/dhcp/common/socket.c @@ -81,6 +81,17 @@ int if_register_socket (info) if (bind (sock, (struct sockaddr *)&name, sizeof name) < 0) error ("Can't bind to dhcp address: %m"); + flag = IPSEC_LEVEL_BYPASS; + if (setsockopt (sock, IPPROTO_IP, IP_AUTH_LEVEL, + (char *)&flag, sizeof flag) < 0) + error ("Can't bypass auth IPsec on dhcp socket: %m"); + if (setsockopt (sock, IPPROTO_IP, IP_ESP_TRANS_LEVEL, + (char *)&flag, sizeof flag) < 0) + error ("Can't bypass ESP transport on dhcp socket: %m"); + if (setsockopt (sock, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, + (char *)&flag, sizeof flag) < 0) + error ("Can't bypass ESP network on dhcp socket: %m"); + return sock; } diff --git a/usr.sbin/dhcp/dhclient/dhclient.8 b/usr.sbin/dhcp/dhclient/dhclient.8 index eae843776c7..ae9ec6663c8 100644 --- a/usr.sbin/dhcp/dhclient/dhclient.8 +++ b/usr.sbin/dhcp/dhclient/dhclient.8 @@ -108,6 +108,10 @@ available but BOOTP is. In that case, it may be advantageous to arrange with the network administrator for an entry on the BOOTP database, so that the host can boot quickly on that network rather than cycling through the list of old leases. +.PP +DHCP traffic always bypass IPsec, otherwise there can come up situations +when a server has an IPsec SA for the client, and sends replies over that, +which a potentially newly booted client cannot grasp. .SH COMMAND LINE .PP The names of the network interfaces that dhclient should attempt to diff --git a/usr.sbin/dhcp/relay/dhcrelay.8 b/usr.sbin/dhcp/relay/dhcrelay.8 index ec4f5c74bf4..6b9c560e6fb 100644 --- a/usr.sbin/dhcp/relay/dhcrelay.8 +++ b/usr.sbin/dhcp/relay/dhcrelay.8 @@ -132,6 +132,14 @@ should be relayed must be specified on the command line. .PP .SH SEE ALSO dhclient(8), dhcpd(8), RFC2132, RFC2131. +.SH BUGS +Relayed DHCP traffic could actually safely be protected by IPsec, but +like +.B dhcpd(8) +and +.B dhclient(8), +.B dhcrelay(8) +will bypass IPsec for all its traffic. .SH AUTHOR .B dhcrelay(8) has been written for the Internet Software Consortium diff --git a/usr.sbin/dhcp/server/dhcpd.8 b/usr.sbin/dhcp/server/dhcpd.8 index b7e31881345..a6196f27802 100644 --- a/usr.sbin/dhcp/server/dhcpd.8 +++ b/usr.sbin/dhcp/server/dhcpd.8 @@ -143,6 +143,10 @@ require a great deal of work, our resources are extremely limited, and they can be better spent elsewhere. So please don't complain about this on the mailing list unless you're prepared to fund a project to implement this feature, or prepared to do it yourself. +.PP +DHCP traffic always bypass IPsec, otherwise there can come up situations +when a server has an IPsec SA for the client, and sends replies over that, +which a potentially newly booted client cannot grasp. .SH COMMAND LINE .PP The names of the network interfaces on which dhcpd should listen for |