IPsec peer remote address option allows invalid and incomplete IPv4 addresses
Open, NormalPublicBUG
Actions

Assigned To

None

Authored By

	dmbaturin
	Dec 25 2024, 6:29 PM

Description

IPsec peer remote address can be keyword any, an IP/IPv6 address, or a hostname. So far so good.

The problem is that the current validator accepts partial IPv4 addresses because they happen to match the generic hostname regex (anything separated by dots).

vyos@north# set vpn ipsec site-to-site peer SOUTH remote-address 10.0.0 # sic — no last octet (could also be 10.0.0.299)
[edit]
vyos@north# commit
[edit]
vyos@north# show vpn ipsec site-to-site peer SOUTH 
 default-esp-group TEST
 ike-group TEST
 local-address 203.0.113.10
 remote-address 10.0.0
 tunnel 1 {
     protocol gre
 }

The real problem is that 10.0.0 is a technically valid domain name, because DNS RFCs don't put any restrictions there.

The question is: should we disallow all-numeric top level domains in the hostname regex?

Or should we rework the option to make it like remote <address <IPv4|IPv6> | host <hostname> | any> to still allow a hypothetical 10.0.0.299 hostname but prevent accidentall IP address entry mistakes?

Details

Version: 20241216
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Event Timeline

dmbaturin created this task.Dec 25 2024, 6:29 PM

pasik subscribed.Dec 26 2024, 5:52 PM

dmbaturin triaged this task as Normal priority.Jan 27 2025, 12:06 PM

IPsec peer remote address option allows invalid and incomplete IPv4 addressesOpen, NormalPublicBUGActions

Description

Details

Event Timeline

IPsec peer remote address option allows invalid and incomplete IPv4 addresses
Open, NormalPublicBUG
Actions