summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>2001-06-24 22:11:49 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>2001-06-24 22:11:49 +0000
commit7ddf298b7352a83051ae6a4cede70b23123c4511 (patch)
tree3105fc77c430aa0b336d0dae7271988731ea1b06
parent4179bb3888461061584858ba18408cc139c23a7e (diff)
Old M of mine, uncovered by the recent dhcpd update: Bypass IPsec in all
DHCP traffic.
-rw-r--r--usr.sbin/dhcp/common/socket.c11
-rw-r--r--usr.sbin/dhcp/dhclient/dhclient.84
-rw-r--r--usr.sbin/dhcp/relay/dhcrelay.88
-rw-r--r--usr.sbin/dhcp/server/dhcpd.84
4 files changed, 27 insertions, 0 deletions
diff --git a/usr.sbin/dhcp/common/socket.c b/usr.sbin/dhcp/common/socket.c
index 03aac4a4a9f..02049944dde 100644
--- a/usr.sbin/dhcp/common/socket.c
+++ b/usr.sbin/dhcp/common/socket.c
@@ -81,6 +81,17 @@ int if_register_socket (info)
if (bind (sock, (struct sockaddr *)&name, sizeof name) < 0)
error ("Can't bind to dhcp address: %m");
+ flag = IPSEC_LEVEL_BYPASS;
+ if (setsockopt (sock, IPPROTO_IP, IP_AUTH_LEVEL,
+ (char *)&flag, sizeof flag) < 0)
+ error ("Can't bypass auth IPsec on dhcp socket: %m");
+ if (setsockopt (sock, IPPROTO_IP, IP_ESP_TRANS_LEVEL,
+ (char *)&flag, sizeof flag) < 0)
+ error ("Can't bypass ESP transport on dhcp socket: %m");
+ if (setsockopt (sock, IPPROTO_IP, IP_ESP_NETWORK_LEVEL,
+ (char *)&flag, sizeof flag) < 0)
+ error ("Can't bypass ESP network on dhcp socket: %m");
+
return sock;
}
diff --git a/usr.sbin/dhcp/dhclient/dhclient.8 b/usr.sbin/dhcp/dhclient/dhclient.8
index eae843776c7..ae9ec6663c8 100644
--- a/usr.sbin/dhcp/dhclient/dhclient.8
+++ b/usr.sbin/dhcp/dhclient/dhclient.8
@@ -108,6 +108,10 @@ available but BOOTP is. In that case, it may be advantageous to
arrange with the network administrator for an entry on the BOOTP
database, so that the host can boot quickly on that network rather
than cycling through the list of old leases.
+.PP
+DHCP traffic always bypass IPsec, otherwise there can come up situations
+when a server has an IPsec SA for the client, and sends replies over that,
+which a potentially newly booted client cannot grasp.
.SH COMMAND LINE
.PP
The names of the network interfaces that dhclient should attempt to
diff --git a/usr.sbin/dhcp/relay/dhcrelay.8 b/usr.sbin/dhcp/relay/dhcrelay.8
index ec4f5c74bf4..6b9c560e6fb 100644
--- a/usr.sbin/dhcp/relay/dhcrelay.8
+++ b/usr.sbin/dhcp/relay/dhcrelay.8
@@ -132,6 +132,14 @@ should be relayed must be specified on the command line.
.PP
.SH SEE ALSO
dhclient(8), dhcpd(8), RFC2132, RFC2131.
+.SH BUGS
+Relayed DHCP traffic could actually safely be protected by IPsec, but
+like
+.B dhcpd(8)
+and
+.B dhclient(8),
+.B dhcrelay(8)
+will bypass IPsec for all its traffic.
.SH AUTHOR
.B dhcrelay(8)
has been written for the Internet Software Consortium
diff --git a/usr.sbin/dhcp/server/dhcpd.8 b/usr.sbin/dhcp/server/dhcpd.8
index b7e31881345..a6196f27802 100644
--- a/usr.sbin/dhcp/server/dhcpd.8
+++ b/usr.sbin/dhcp/server/dhcpd.8
@@ -143,6 +143,10 @@ require a great deal of work, our resources are extremely limited, and
they can be better spent elsewhere. So please don't complain about
this on the mailing list unless you're prepared to fund a project to
implement this feature, or prepared to do it yourself.
+.PP
+DHCP traffic always bypass IPsec, otherwise there can come up situations
+when a server has an IPsec SA for the client, and sends replies over that,
+which a potentially newly booted client cannot grasp.
.SH COMMAND LINE
.PP
The names of the network interfaces on which dhcpd should listen for