Date: Wed, 5 Mar 2008 00:09:20 GMT From: Cyrus Rahman <crahman@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/121373: New IPSEC & IPV6 & AH+ESP Broken Message-ID: <200803050009.m2509KVj059049@www.freebsd.org> Resent-Message-ID: <200803050020.m250K2bQ006932@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121373
>Category: kern
>Synopsis: New IPSEC & IPV6 & AH+ESP Broken
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 05 00:20:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Cyrus Rahman
>Release: 7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Tue Mar 4 16:27:33 MST 2008 cr@snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386
>Description:
One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6. Trying to will
produce the kernel printf:
kernel: ip6_output (ipsec): error code 22
and no output from the interface.
The problem looks to be here, in ipsec_output.c, ipsec_process_done():
/*
* If there's another (bundled) SA to apply, do so.
* Note that this puts a burden on the kernel stack size.
* If this is a problem we'll need to introduce a queue
* to set the packet on so we can unwind the stack before
* doing further processing.
*/
if (isr->next) {
ipsec4stat.ips_out_bundlesa++;
return ipsec4_process_packet(m, isr->next, 0, 0);
}
So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet. By the way, things work fine with ipv4.
>How-To-Repeat:
Set up an association between two ipv6 hosts that calls for esp+ah.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803050009.m2509KVj059049>