Date: Tue, 24 Apr 2001 04:05:39 +0900 From: Shoichi Sakane <sakane@ydc.co.jp> To: snap-users@kame.net Cc: freebsd-net@freebsd.org Subject: Re: (KAME-snap 4515) Re: KAME SPD bug, please try and confirm ... Message-ID: <20010424040539N.sakane@ydc.co.jp> In-Reply-To: Your message of "Sun, 22 Apr 2001 05:15:33 %2B0000" <3AE268F5.B48CC2B2@aurora.regenstrief.org> References: <3AE268F5.B48CC2B2@aurora.regenstrief.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
> > sorry that we did not make any useful responses, some of the kame guys
> > (mainly sakane) are trying to repeat the symptom.
> I appreciate that very much!
I have tested, but I couldn't have any error. I made the following network.
And I executed flooding ping to A from both B and C. All of hosts seemed
quite stable. Of course, these ICMP packet were encapsulated by ESP.
Actually, I couldn't prepare three FreeBSD machine.
A and C are FreeBSD4.2-RELEASE, and B is NetBSD1.5.
All of them are *WITHOUT* KAME patch.
A ---+--- B
|
+--- C
Host A is powerless machine which is pentium 100MHz.
just in case, I attach these configuration and results into this mail.
These are:
net-A: first configuration on the host A.
net-A2: configuration on the host A after host C added.
net-B: configuration on the host B.
net-C: configuration on the host C.
host-A: results of ifconfig, netstat on the host A.
host-B: results of ifconfig, netstat on the host B.
host-C: results of ifconfig, netstat on the host C.
> > i ran a small test with slightly different setup on both NetBSD
> > 1.5.1_BETA and NetBSD 1.5 + KAME SNAP 2001042x, and the problem did
> > not repeat.
> Hmm, may be it's a matter of FreeBSD and does not occur with NetBSD?
> > is the following description correct?
> > - FreeBSD 4.2-RELEASE is not affected
> yes, it is affected with kernel panic (under high loads only ...)
How was "high loads" ? I did flooding ping invoked "-f -s 1000"
from both B and C. But kernel panic didn't happened.
I haven't checked the following case. But I think the issue exists in
a other place.
> > - FreeBDS 4.2-RELEASE + KAME SNAP 200103xx has problem, but no kernel
> > panic
> right, shows the described problems but has no such kernel panics
> > - FreeBSD 4.2-RELEASE + KAME SNAP 200104xx has problem, with kernel
> > panic
> actually I should test that. Will do tomorrow.
/Shoichi Sakane @ KAME project/
[-- Attachment #2 --]
# first host A's configuration.
ifconfig ep0 inet 172.16.5.1 netmask 0xffffff00
ifconfig ep0 inet alias 10.10.10.1 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.10.1 netmask 0xffffff00
route add -net 10.99.20.0/24 10.99.10.1
setkey -c <<EOF
add 10.10.10.1 10.10.10.2 esp 1000 -E simple;
add 10.10.10.2 10.10.10.1 esp 1001 -E simple;
spdadd 10.99.10.0/24 10.99.20.0/24 any -P out ipsec
esp/tunnel/10.10.10.1-10.10.10.2/require;
spdadd 10.99.20.0/24 10.99.10.0/24 any -P in ipsec
esp/tunnel/10.10.10.2-10.10.10.1/require;
EOF
[-- Attachment #3 --]
# host A's configuration after host C added.
route add -net 10.99.30.0/24 10.99.10.1
setkey -c <<EOF
add 10.10.10.1 10.10.10.3 esp 2000 -E simple;
add 10.10.10.3 10.10.10.1 esp 2001 -E simple;
spdadd 10.99.10.0/24 10.99.30.0/24 any -P out ipsec
esp/tunnel/10.10.10.1-10.10.10.3/require;
spdadd 10.99.30.0/24 10.99.10.0/24 any -P in ipsec
esp/tunnel/10.10.10.3-10.10.10.1/require;
EOF
[-- Attachment #4 --]
# host B's configuration
ifconfig ne2 inet 172.16.5.2 netmask 0xffffff00
ifconfig ne2 inet alias 10.10.10.2 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.20.1 netmask 0xffffff00
route add -net -inet 10.99.10.0 -netmask 24 10.99.20.1
setkey -c <<EOF
add 10.10.10.1 10.10.10.2 esp 1000 -E simple;
add 10.10.10.2 10.10.10.1 esp 1001 -E simple;
spdadd 10.99.20.0/24 10.99.10.0/24 any -P out ipsec
esp/tunnel/10.10.10.2-10.10.10.1/require;
spdadd 10.99.10.0/24 10.99.20.0/24 any -P in ipsec
esp/tunnel/10.10.10.1-10.10.10.2/require;
EOF
[-- Attachment #5 --]
# host C's configuration.
ifconfig ed1 inet 172.16.5.3 netmask 0xfffff00
ifconfig ed1 inet alias 10.10.10.3 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.30.1 netmask 0xffffff00
route add -net 10.99.10.0/24 10.99.30.1
setkey -c <<EOF
add 10.10.10.1 10.10.10.3 esp 2000 -E simple;
add 10.10.10.3 10.10.10.1 esp 2001 -E simple;
spdadd 10.99.30.0/24 10.99.10.0/24 any -P out ipsec
esp/tunnel/10.10.10.3-10.10.10.1/require;
spdadd 10.99.10.0/24 10.99.30.0/24 any -P in ipsec
esp/tunnel/10.10.10.1-10.10.10.3/require;
EOF
[-- Attachment #6 --]
### host A
### OS: FreeBSD4.2-RELEASE
### the results of ifconfig, netstat.
# ifconfig -au
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet 10.99.10.1 netmask 0xffffff00
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.5.1 netmask 0xffffff00 broadcast 172.16.5.255
inet6 fe80::260:8ff:fe89:b029%ep0 prefixlen 64 scopeid 0x9
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
ether 00:60:08:89:b0:29
media: 10baseT/UTP
supported media: 10base2/BNC 10baseT/UTP 10base5/AUI
# netstat -nrf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
10.10.10/24 link#9 UC 0 0 ep0 =>
10.10.10.1 0:60:8:89:b0:29 UHLW 0 2 lo0
10.10.10.2 0:0:f4:5f:40:61 UHLW 1 7 ep0 760
10.10.10.3 0:0:f4:42:b5:a0 UHLW 1 1 ep0 777
10.99.10.1 10.99.10.1 UH 2 0 lo0
10.99.20/24 10.99.10.1 UGSc 0 496952 lo0
10.99.30/24 10.99.10.1 UGSc 0 681251 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16.5/24 link#9 UC 0 0 ep0 =>
# netstat -p ipsec
ipsec:
1178203 inbound packets processed successfully
0 inbound packets violated process security policy
1 inbound packet with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
simple: 1178203
1178203 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
simple: 1178203
[-- Attachment #7 --]
### host B
### OS: NetBSD1.5
### the results of ifconfig, netstat.
# ifconfig -auA
ne2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:00:f4:5f:40:61
media: Ethernet autoselect (10baseT)
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
inet alias 172.16.5.2 netmask 0xffffff00 broadcast 172.16.5.255
inet6 fe80::200:f4ff:fe5f:4061%ne2 prefixlen 64 scopeid 0x2
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33228
inet 127.0.0.1 netmask 0xff000000
inet alias 10.99.20.1 netmask 0xffffff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
# netstat -nrf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
0&0x18 10.99.20.1 UGS 3 499038 33228 lo0
10.10.10/24 link#2 UC 1 0 1500 ne2
10.10.10.1 00:60:08:89:b0:29 UHL 1 6 1500 ne2
10.99.20.1 10.99.20.1 UH 1 4 33228 lo0
127 127.0.0.1 UGRS 0 0 33228 lo0
127.0.0.1 127.0.0.1 UH 1 0 33228 lo0
172.16.5/24 link#2 UC 0 0 1500 ne2
# netstat -p ipsec
ipsec:
496825 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
null: 496825
499035 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
null: 499035
[-- Attachment #8 --]
### host C
### OS: FreeBSD4.2-RELEASE
### the results of ifconfig, netstat.
# ifconfig -au
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet 10.99.30.1 netmask 0xffffff00
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.5.3 netmask 0xfffff00 broadcast 252.16.5.255
inet6 fe80::200:f4ff:fe42:b5a0%ed1 prefixlen 64 scopeid 0xa
inet 10.10.10.3 netmask 0xffffff00 broadcast 10.10.10.255
ether 00:00:f4:42:b5:a0
# netstat -nrf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
10.10.10/24 link#10 UC 0 0 ed1 =>
10.10.10.1 0:60:8:89:b0:29 UHLW 1 1 ed1 382
10.99.10/24 10.99.30.1 UGSc 0 681290 lo0
10.99.30.1 10.99.30.1 UH 1 0 lo0
12.16.5&0xfffff00 link#10 UC 0 0 ed1 =>
127.0.0.1 127.0.0.1 UH 0 0 lo0
# netstat -p ipsec
ipsec:
681184 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
simple: 681184
681290 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
simple: 681290
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424040539N.sakane>