Date: Wed, 5 Mar 2008 00:09:20 GMT From: Cyrus Rahman <crahman@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/121373: New IPSEC & IPV6 & AH+ESP Broken Message-ID: <200803050009.m2509KVj059049@www.freebsd.org> Resent-Message-ID: <200803050020.m250K2bQ006932@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121373 >Category: kern >Synopsis: New IPSEC & IPV6 & AH+ESP Broken >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 05 00:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Cyrus Rahman >Release: 7.0-RELEASE >Organization: >Environment: FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #6: Tue Mar 4 16:27:33 MST 2008 cr@snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386 >Description: One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6. Trying to will produce the kernel printf: kernel: ip6_output (ipsec): error code 22 and no output from the interface. The problem looks to be here, in ipsec_output.c, ipsec_process_done(): /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. * If this is a problem we'll need to introduce a queue * to set the packet on so we can unwind the stack before * doing further processing. */ if (isr->next) { ipsec4stat.ips_out_bundlesa++; return ipsec4_process_packet(m, isr->next, 0, 0); } So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet. By the way, things work fine with ipv4. >How-To-Repeat: Set up an association between two ipv6 hosts that calls for esp+ah. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803050009.m2509KVj059049>