Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Apr 2010 23:39:58 GMT
From:      Peter Molnar <peter@molnar.cc>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/145737: Wrong UDP checksum not ignored as expected in UDP encapsuladed ESP packet
Message-ID:  <201004152339.o3FNdwCd019096@www.freebsd.org>
Resent-Message-ID: <201004152350.o3FNo2ud016724@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         145737
>Category:       kern
>Synopsis:       Wrong UDP checksum not ignored as expected in UDP encapsuladed ESP packet
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 15 23:50:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Peter Molnar
>Release:        RELENG_7_0_0_RELEASE
>Organization:
>Environment:
>Description:
Test setup:

A FreeBSD machine acts as VPN client (ESP-Transport, L2TP, NAT-T) to an OpenSWAN based VPN concentrator.

Problem description:

The L2TP (UDP) packets originating from the concentrator are rejected because of a wrong UDP checksum.

Detailed problem description:

[RFC 3948, 3.1.2] states: 

   When a transport mode has been used to transmit packets, contained
   TCP or UDP headers will have incorrect checksums due to the change of
   parts of the IP header during transit.  This procedure defines how to
   fix these checksums [...]

   Depending on local policy, one of the following MUST be done:

   [...]

   3.  If the protocol header after the ESP header is a UDP header, set
       the checksum field to zero in the UDP header. [...]
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index cbb13b6..bbe80f6 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -372,6 +372,25 @@ udp_input(struct mbuf *m, int off)
 	else
 		memset(&save_ip, 0, sizeof(save_ip));
 
+#ifdef IPSEC_NAT_T
+	/* 
+	 * RFC 3948
+	 * 
+	 * 3.1.2. Transport Mode Decapsulation NAT Procedure
+	 * 
+	 * Depending on local policy, one of the following MUST be done:
+	 * 
+	 * [...]
+	 * 
+	 * 3.  If the protocol header after the ESP header is a UDP header, set
+	 *     the checksum field to zero in the UDP header. [...]
+	 */
+	
+	if (m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL) != NULL) {
+		uh->uh_sum = 0;
+	}
+#endif
+
 	/*
 	 * Checksum extended UDP header and data.
 	 */


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004152339.o3FNdwCd019096>