Hmm, shifting state to people who shouldn't need to know.
> > Also the tunnel start point has to be secured anyways, otherwise
> > all the encryption wouldn't make sense. Similar for the tunnel endpoint.
> >
> > Or do I miss something?
>
> The DF frames are coming from hosts that the tunnel passes through, not
> from inside the tunnel. That is the problem.
>
> Frames from the tunnel itself are protected and encrypted, but any icmp
> generated by the tunnel itself are unencrypted and unsigned so cannot be
> trusted
The frames from the tunnel to the hosts that it tunnels for are obviously
not encrypted.
The hosts don't know that they communicating with a tunnel. So they don't
know that they're supposed to ignore ICMP_FRAG_NEEDED. They don't. If the
IPSec host doesn't generate it, someone else will. To avoid it you have
to make sure that the network after the tunnel is secured.
The link between the to be tunneled hosts, and the tunnel is insecure.
IPSec's job is to secure the link between two tunnel endpoints, not the
network before and after the tunnel.
I don't see any advantage in breaking IP, just to avoid one possible DoS,
when there are lots of others anyways, which cannot be avoided.
-Andi
-- This is like TV. I don't like TV.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/