Bug 196839

Summary: use_time of IPsec policy is updated even when receiving error packets.
Product: Networking Reporter: c c (cchenme)
Component: OtherAssignee: Stephen Hemminger (stephen)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: Intel   
OS: Linux   
Kernel Version: 4.8.0 Subsystem:
Regression: No Bisected commit-id:

Description c c 2017-09-06 10:18:33 UTC 
Normally the use_time of policy in SPD is updated if the policy is matched by incoming or outgoing IP packets. For protect policy, it is updated if ESP/AH packets are sent or received.

The use_time of SPD_IN policy used by IKE implementation like strongSwan to check whether there is inbound traffic, thus determine whether it is necessary to send DPD(dead peer detection, rfc3706) request to check liveness of IPsec peer.

In case an unprotected packet is received but matches the IPsec SPD IN protect policy, the packet will be discarded and the error counter XfrmInTmplMismatch in /proc/net/xfrm_stat is incremented.

But in such error/malicious case, the use_time of SPD IN policy is also updated. This cause strongSwan to mistakenly regard that the policy is in use and not to trigger DPD request even when it should.

In short, this is a security hole in kernel and could lead to DoS attack on IPsec gateway running on Linux.