[Ipsec-tools-devel] port matching issues

[Paul M. <pau...@ce...>]

I have just spent several days investigating a bug only to find that it
is addressed in 0.8 (thats OK - thats life)

 

It is the situation where when matching an inbound quick that has ports
in its ID

old code incorrectly picked the first entry without regard to ports.

The fix is roughly what I was typing

 

But I think the checked in fix is wrong

 

a) subnets

assume I have

 

spdadd subnet subnet[21] in

spdadd subnet[21] subnet out

 

then the strict match fails (it doesnt do subnet masking)

 

 

b) wild match wrong

secondly if i have locally

 

spdadd addr[80] -> addr in esp

 

and a remote machine has connected to port 21

 

then if the strict fails the wild match can match this and it seems
highly unlikely that that is the correct thing to do

the remote port certainly is not 80

 

c) remote side has no port specified

locally I have

 

 

spdadd subnet subnet[21] in

spdadd subnet[21] subnet out

spdadd subnet subnet[21] out

spdadd subnet[21] subnet in

 

what should happen when the remote connects?

The ID payload will not have a port in it

but the spd db does have a port so the strict match will fail

then the wild match will pick the first entry that matches regardless of
port

and that will most likely be wrong  (we are back to where we were b4 the
fix)

 

However it can be argued that this is a misconfiguration (both sides
should have port specified)

 

For the first issue I think its better to call cmpspidxwild but with a
flag saying strict port match or not

I have not got to the rest yet