Bug 189878 - Racoon uses incorrect source address on interfaces with multiple addresses
Racoon uses incorrect source address on interfaces with multiple addresses
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Conklin
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-25 10:13 EDT by Matt Dainty
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 14:44:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix behaviour (496 bytes, patch)
2006-04-25 10:13 EDT, Matt Dainty
no flags Details | Diff

  None (edit)
Description Matt Dainty 2006-04-25 10:13:43 EDT
Description of problem:

The bug and behaviour is documented here:

http://sourceforge.net/mailarchive/message.php?msg_id=9638641

The patch was accepted and the change is still present in the latest 0.6.5 release.

Applying the patch and rebuilding 0.2.5-0.7 fixed this exact same issue for me
where racoon was using the wrong address on an interface with multiple addresses
configured. This broke identity protection ("verify_identifier yes" in
racoon.conf) which was using the IP address as the identifier.

I'll attach the patch for completeness.

Version-Release number of selected component (if applicable):

0.2.5-0.7
(0.3.3-6 in RHEL4 doesn't contain the fix either so I suspect is also vulnerable)

How reproducible:

Always on a particular machine, although some machines weren't affected,
possibly due to the order the addresses were configured on the interface. Not
entirely sure.

Steps to Reproduce:
1. Assign multiple addresses to an interface used by racoon to establish IPSEC
connection, preferably with identify protection enabled
2. Watch UDP/500 packets leave the interface
  
Actual results:
Packets have an incorrect source address which leads to them not matching any
known configuration on the remote peer, which can cause identify protection to fail.

Expected results:
Packets should have the correct source address

Additional info:
Comment 1 Matt Dainty 2006-04-25 10:13:43 EDT
Created attachment 128202 [details]
Patch to fix behaviour
Comment 2 Red Hat Bugzilla 2007-07-19 20:43:10 EDT
change the owner of ipsec-tools
Comment 3 RHEL Product and Program Management 2007-10-19 14:44:59 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.