Date: Tue, 26 Sep 2006 17:19:00 -0500 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: Re: Bundled SAs and ESP/IPCOMP support ... Message-ID: <4519A754.3000109@shrew.net> In-Reply-To: <45197099.8060406@shrew.net> References: <45197099.8060406@shrew.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Grooms wrote:
> All,
>
> With fast ipsec compiled into the kernel, I can see the outbound esp
> transport SAD entry increase the current byte count but the ipcomp entry
> shows nothing to indicate its use. It seems strange that the kernel will
> send acquire messages via PF_KEY as a pre-requisite to performing the
> required security processing but doesn't use them once they are added by
> the key daemon.
>
So, I tracked down the problem I was seeing to here ...
/usr/src/sys/netinet6/ipcomp_output.c:145
/* grab parameters */
algo = ipcomp_algorithm_lookup(sav->alg_enc);
if ((ntohl(sav->spi) & ~0xffff) != 0 || !algo) {
stat->out_inval++;
m_freem(m);
return EINVAL;
}
... The SPI which gets interpreted as the CPI had a value larger than
0xffff. If IPCOMP will always fail with an CPI that isn't contained
within 16 bits, should this be treated as an error condition when the
key daemon attempts to add the SAD entry? Then there would be error
feedback as opposed to silently dropping the packet in the outbound path.
Thanks,
-Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4519A754.3000109>