diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-08-09 15:44:33 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-08-09 15:44:33 +0000 |
| commit | 4eea42ee42a0ac8a7bf9d8afe07471fedf2c91b3 (patch) | |
| tree | e24c71bc760efd89c23457eb8a41aee30dd3c2f8 /sys | |
| parent | a8b98b2a9f20313e9083e3d4dd32a4e528cbed22 (diff) | |
Don't check the source address on the packet vs. the one on the SA, as
this prevents use of ESP in mobility; pointed out on the IETF mailing
list by Francis Dupont.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ipsec_input.c | 52 |
1 files changed, 1 insertions, 51 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index e0a876a3ee7..2a70187eab4 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.52 2001/08/08 15:07:04 jjbg Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.53 2001/08/09 15:44:32 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -375,30 +375,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, } } #endif /* INET6 */ - - /* - * Check that the source address is an expected one, - * if we know what it's supposed to be. This avoids - * source address spoofing. - */ - if ((tdbp->tdb_src.sa.sa_family == AF_INET && - tdbp->tdb_src.sin.sin_addr.s_addr != INADDR_ANY && - ip->ip_src.s_addr != tdbp->tdb_src.sin.sin_addr.s_addr) || - (tdbp->tdb_src.sa.sa_family != AF_INET && - tdbp->tdb_src.sa.sa_family != 0)) { - - DPRINTF(("ipsec_common_input_cb(): source address %s " - "doesn't correspond to expected source %s, " - "SA %s/%08x\n", inet_ntoa4(ip->ip_src), - ipsp_address(tdbp->tdb_src), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #endif /* INET */ @@ -492,32 +468,6 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, return EACCES; } } - - /* - * Check that the source address is an expected one, - * if we know what it's supposed to be. This avoids - * source address spoofing. - */ - if ((tdbp->tdb_src.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&tdbp->tdb_src.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, - &tdbp->tdb_src.sin6.sin6_addr)) || - (tdbp->tdb_src.sa.sa_family != AF_INET6 && - tdbp->tdb_src.sa.sa_family != 0)) { - - DPRINTF(("ipsec_common_input_cb(): packet %s to %s " - "does not match any ACL entries, SA %s/%08x\n", - ip6_sprintf(&ip6->ip6_src), - ip6_sprintf(&ip6->ip6_dst), - ipsp_address(tdbp->tdb_src), - ipsp_address(tdbp->tdb_dst), - ntohl(tdbp->tdb_spi))); - - m_freem(m); - IPSEC_ISTAT(espstat.esps_pdrops, ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); - return EACCES; - } } #endif /* INET6 */ |