From: Phil H. <phi...@ip...> - 2007-07-30 18:25:41
|
IPsec (ESP) over IPv6 apparently encrypts neighbor discovery even before an SA is established. Is this the way it should be? In order to get an SA established, I have to set permanent neighbor table entries. Perhaps bouncing packets against a router would also work (I have not tried that but it is not something I'd want to do as _the_ solution). Is there a way to specify the security policy to _not_ encrypt neighbor discovery packets, while still encrypting other packets including other ICMP (I would want to leave ping encrypted, for example)? Would this be a possible security risk? |
From: Bjoern A. Z. <bze...@li...> - 2007-07-30 20:52:19
|
On Mon, 30 Jul 2007, Phil Howard wrote: > IPsec (ESP) over IPv6 apparently encrypts neighbor discovery even before > an SA is established. Is this the way it should be? In order to get an > SA established, I have to set permanent neighbor table entries. Perhaps > bouncing packets against a router would also work (I have not tried that > but it is not something I'd want to do as _the_ solution). > > Is there a way to specify the security policy to _not_ encrypt neighbor > discovery packets, while still encrypting other packets including other > ICMP (I would want to leave ping encrypted, for example)? Would this be > a possible security risk? # In order to avoid this problem, # Router Solicitation(133), # Router Advertisement(134), # Neighbor Solicitation(135) and # Neighbor Advertisement(136) # messages must not lead to the use of IKE-based SA negotiation. # [simplified policies here only] spdadd ::/0 ::/0 icmp6 133,0 -P in none; spdadd ::/0 ::/0 icmp6 133,0 -P out none; spdadd ::/0 ::/0 icmp6 134,0 -P in none; spdadd ::/0 ::/0 icmp6 134,0 -P out none; spdadd ::/0 ::/0 icmp6 135,0 -P in none; spdadd ::/0 ::/0 icmp6 135,0 -P out none; spdadd ::/0 ::/0 icmp6 136,0 -P in none; spdadd ::/0 ::/0 icmp6 136,0 -P out none; you might still run into implememtation problems with the above not working. Also remember that order might be important (at least for ipsec.conf on BSD it is). -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. |