Dynamic IPSec peers: host routes not cleaned up when peer IPs change
owczi last edited by
Some background (if TL; then DR):
I'm happily running a private network for my own needs with multiple VPSes running pfSense (2.0.3) and Cisco routers connecting to those VPSes - all based on IPSec + GRE + BGP. Apart from an issue with TCP MD5 auth (had to disable auth for bgp eventually…), everything is stable. The Cisco boxes sit on ADSL links with dynamic DNS, everything is DNS based so when IPs change, tunnels come back up in a couple of minutes which is more than sufficient for my needs. I've generally always been happy with pfSense - I ran 1.x as a bridging firewall before on a production network with one year plus uptimes without issues.
This is what I recently noticed:
pfSense nicely picks up DNS changes of the IPSec peers, but while looking at the routing table I noticed that while pfSense installs /32 routes to the tunnel endpoints every time the endpoint changes, it doesn't clean up the previous routes.
So after a week I have some 10 /32s in the routing table pointing at my WAN interface and they keep appearing. I suppose this is not a real threat when things are stable, but theoretically this is prone to a DOS attack where if an attacker takes control over the domain, lowers TTL of the tunnel peer's host and keeps changing it, the pfSense box will eventually fill up its routing table, or at least poison it with whatever the host resolves to at the time, without removing it. Since the installed routes are directly connected /32s (can't get more specific routes), they will always take priority over any dynamic routes. So to a small extent, this allows packet redirection.
Apologies if this is something that has been flagged before or fixed in 2.1 :)