Bug 681974

Summary: Openswan's current IKEv2 implementation does not correctly process ICMPv6 Selectors for Type and Code
Product: Red Hat Enterprise Linux 6 Reporter: IOL <imj731>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: amarecek, iboverma, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openswan-2_6_32-4_el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:55:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description IOL 2011-03-03 18:27:37 UTC 
Description of problem:

Openswan does not correctly process Traffic Selectors for ICMPv6 when a type and code is specified according to RFC 4301 Section 4.4.1.1.

Version-Release number of selected component (if applicable):

Openswan Version 2.6.24


How reproducible:

Always

Steps to Reproduce:
1. Send IKE_AUTH Request to Openswan with Traffic selector specifying ICMPv6 and 8000 or 8100 in the start port and end port.  Selectors will not be properly applied, and the IKE_AUTH Response will have ANY/ANY specified.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 4 Avesh Agarwal 2011-03-17 17:12:39 UTC 
Testing instructions for QE:

1. I would suggest to look at the following paragraph from RFC 4306 http://tools.ietf.org/html/rfc4306 for better understanding.

"Start Port (2 octets) - Value specifying the smallest port number
      allowed by this Traffic Selector.  For protocols for which port is
      undefined, or if all ports are allowed, this field MUST be zero.
      For the ICMP protocol, the two one-octet fields Type and Code are
      treated as a single 16-bit integer (with Type in the most
      significant eight bits and Code in the least significant eight
      bits) port number for the purposes of filtering based on this
      field.
"

2. Configure IPsec nodes as follows:

IPsec node 1 (*.conf):
conn test1
        auto=add
        authby=secret
        left=192.168.122.181
        right=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	leftprotoport=icmp   #(icmp echo reply type 0 code 0)
        rightprotoport=icmp/2048 #(icmp echo request type 0 code 0)
        ikev2=insist

IPsec node 2 (*.conf):
conn test1
        auto=add
        authby=secret
        right=192.168.122.181
        left=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	rightprotoport=icmp   #(icmp echo reply type 0 code 0)
        leftprotoport=icmp/2048 #(icmp echo request type 0 code 0)
        ikev2=insist

both nodes (*.secrets):
: PSK "whatever"

3. Establish connection test1 as "ipsec auto --up test1"

4. check output of "ip xfrm policy" , and it will show wrong type/code values in failed case, and right type and code values in success case.
Comment 5 IBM Bug Proxy 2011-03-18 21:41:41 UTC 
------- Comment From spieth.com 2011-03-17 19:55 EDT-------
---Problem Description---
Reverse Mirror of RIT681974 - Openswan's current IKEv2 implementation does not correctly process ICMPv6 Selectors for Type and Code
Contact Information = spieth.com

---uname output---
na

Machine Type = na

---Debugger---
A debugger is not configured

---Steps to Reproduce---
na

---All Component Data---
Comment 9 errata-xmlrpc 2011-05-19 13:55:25 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0652.html