Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Apr 2001 04:05:39 +0900
From:      Shoichi Sakane <sakane@ydc.co.jp>
To:        snap-users@kame.net
Cc:        freebsd-net@freebsd.org
Subject:   Re: (KAME-snap 4515) Re: KAME SPD bug, please try and confirm ...
Message-ID:  <20010424040539N.sakane@ydc.co.jp>
In-Reply-To: Your message of "Sun, 22 Apr 2001 05:15:33 %2B0000" <3AE268F5.B48CC2B2@aurora.regenstrief.org>
References:  <3AE268F5.B48CC2B2@aurora.regenstrief.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--NextPart-20010424040326-0118601
Content-Type: Text/Plain; charset=us-ascii

> > sorry that we did not make any useful responses, some of the kame guys
> > (mainly sakane) are trying to repeat the symptom.
> I appreciate that very much!

I have tested, but I couldn't have any error.  I made the following network.
And I executed flooding ping to A from both B and C.  All of hosts seemed
quite stable.  Of course, these ICMP packet were encapsulated by ESP.

Actually, I couldn't prepare three FreeBSD machine.
A and C are FreeBSD4.2-RELEASE, and B is NetBSD1.5.
All of them are *WITHOUT* KAME patch.

	A ---+--- B
	     |
	     +--- C

Host A is powerless machine which is pentium 100MHz.
just in case, I attach these configuration and results into this mail.
These are:

	net-A:  first configuration on the host A.
	net-A2: configuration on the host A after host C added.
	net-B:  configuration on the host B.
	net-C:  configuration on the host C.

	host-A: results of ifconfig, netstat on the host A.
	host-B: results of ifconfig, netstat on the host B.
	host-C: results of ifconfig, netstat on the host C.

> >  i ran a small test with slightly different setup on both NetBSD
> >  1.5.1_BETA and NetBSD 1.5 + KAME SNAP 2001042x, and the problem did
> >  not repeat.
> Hmm, may be it's a matter of FreeBSD and does not occur with NetBSD?

> >  is the following description correct?
> >  - FreeBSD 4.2-RELEASE is not affected
> yes, it is affected with kernel panic (under high loads only ...)

How was "high loads" ?  I did flooding ping invoked "-f -s 1000"
from both B and C.  But kernel panic didn't happened.

I haven't checked the following case.  But I think the issue exists in
a other place.

> > - FreeBDS 4.2-RELEASE + KAME SNAP 200103xx has problem, but no kernel
> >   panic
> right, shows the described problems but has no such kernel panics

> > - FreeBSD 4.2-RELEASE + KAME SNAP 200104xx has problem, with kernel
> > panic
> actually I should test that. Will do tomorrow.

/Shoichi Sakane @ KAME project/

--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="net-A"

# first host A's configuration.

ifconfig ep0 inet 172.16.5.1 netmask 0xffffff00
ifconfig ep0 inet alias 10.10.10.1 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.10.1 netmask 0xffffff00

route add -net 10.99.20.0/24 10.99.10.1

setkey -c <<EOF
add 10.10.10.1 10.10.10.2 esp 1000 -E simple;
add 10.10.10.2 10.10.10.1 esp 1001 -E simple; 
spdadd 10.99.10.0/24 10.99.20.0/24 any -P out ipsec
        esp/tunnel/10.10.10.1-10.10.10.2/require;
spdadd 10.99.20.0/24 10.99.10.0/24 any -P in ipsec
        esp/tunnel/10.10.10.2-10.10.10.1/require;
EOF

--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="net-A2"

# host A's configuration after host C added.

route add -net 10.99.30.0/24 10.99.10.1

setkey -c <<EOF
add 10.10.10.1 10.10.10.3 esp 2000 -E simple;
add 10.10.10.3 10.10.10.1 esp 2001 -E simple; 
spdadd 10.99.10.0/24 10.99.30.0/24 any -P out ipsec
        esp/tunnel/10.10.10.1-10.10.10.3/require;
spdadd 10.99.30.0/24 10.99.10.0/24 any -P in ipsec
        esp/tunnel/10.10.10.3-10.10.10.1/require;
EOF

--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="net-B"

# host B's configuration

ifconfig ne2 inet 172.16.5.2 netmask 0xffffff00
ifconfig ne2 inet alias 10.10.10.2 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.20.1 netmask 0xffffff00

route add -net -inet 10.99.10.0 -netmask 24 10.99.20.1
        
setkey -c <<EOF
add 10.10.10.1 10.10.10.2 esp 1000 -E simple;
add 10.10.10.2 10.10.10.1 esp 1001 -E simple;
spdadd 10.99.20.0/24 10.99.10.0/24 any -P out ipsec
        esp/tunnel/10.10.10.2-10.10.10.1/require;
spdadd 10.99.10.0/24 10.99.20.0/24 any -P in ipsec
        esp/tunnel/10.10.10.1-10.10.10.2/require;
EOF

--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="net-C"

# host C's configuration.

ifconfig ed1 inet 172.16.5.3 netmask 0xfffff00
ifconfig ed1 inet alias 10.10.10.3 netmask 0xffffff00
ifconfig lo0 inet alias 10.99.30.1 netmask 0xffffff00

route add -net 10.99.10.0/24 10.99.30.1

setkey -c <<EOF
add 10.10.10.1 10.10.10.3 esp 2000 -E simple;
add 10.10.10.3 10.10.10.1 esp 2001 -E simple; 
spdadd 10.99.30.0/24 10.99.10.0/24 any -P out ipsec
        esp/tunnel/10.10.10.3-10.10.10.1/require;
spdadd 10.99.10.0/24 10.99.30.0/24 any -P in ipsec
        esp/tunnel/10.10.10.1-10.10.10.3/require;
EOF

--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="host-A"

### host A
### OS: FreeBSD4.2-RELEASE
### the results of ifconfig, netstat.

# ifconfig -au
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
        inet 10.99.10.1 netmask 0xffffff00 
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 172.16.5.1 netmask 0xffffff00 broadcast 172.16.5.255
        inet6 fe80::260:8ff:fe89:b029%ep0 prefixlen 64 scopeid 0x9 
        inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
        ether 00:60:08:89:b0:29 
        media: 10baseT/UTP
        supported media: 10base2/BNC 10baseT/UTP 10base5/AUI

# netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
10.10.10/24        link#9             UC          0        0      ep0 =>
10.10.10.1         0:60:8:89:b0:29    UHLW        0        2      lo0
10.10.10.2         0:0:f4:5f:40:61    UHLW        1        7      ep0    760
10.10.10.3         0:0:f4:42:b5:a0    UHLW        1        1      ep0    777
10.99.10.1         10.99.10.1         UH          2        0      lo0
10.99.20/24        10.99.10.1         UGSc        0   496952      lo0
10.99.30/24        10.99.10.1         UGSc        0   681251      lo0
127.0.0.1          127.0.0.1          UH          0        0      lo0
172.16.5/24        link#9             UC          0        0      ep0 =>

# netstat -p ipsec
ipsec:
        1178203 inbound packets processed successfully
        0 inbound packets violated process security policy
        1 inbound packet with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        ESP input histogram:
                simple: 1178203
        1178203 outbound packets processed successfully
        0 outbound packets violated process security policy
        0 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                simple: 1178203


--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="host-B"

### host B
### OS: NetBSD1.5
### the results of ifconfig, netstat.

# ifconfig -auA
ne2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:00:f4:5f:40:61
        media: Ethernet autoselect (10baseT)
        inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
        inet alias 172.16.5.2 netmask 0xffffff00 broadcast 172.16.5.255
        inet6 fe80::200:f4ff:fe5f:4061%ne2 prefixlen 64 scopeid 0x2
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33228
        inet 127.0.0.1 netmask 0xff000000
        inet alias 10.99.20.1 netmask 0xffffff00
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3

# netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
0&0x18             10.99.20.1         UGS         3   499038  33228  lo0
10.10.10/24        link#2             UC          1        0   1500  ne2
10.10.10.1         00:60:08:89:b0:29  UHL         1        6   1500  ne2
10.99.20.1         10.99.20.1         UH          1        4  33228  lo0
127                127.0.0.1          UGRS        0        0  33228  lo0
127.0.0.1          127.0.0.1          UH          1        0  33228  lo0
172.16.5/24        link#2             UC          0        0   1500  ne2

# netstat -p ipsec
ipsec:
        496825 inbound packets processed successfully
        0 inbound packets violated process security policy
        0 inbound packets with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        ESP input histogram:
                null: 496825
        499035 outbound packets processed successfully
        0 outbound packets violated process security policy
        0 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                null: 499035


--NextPart-20010424040326-0118601
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="host-C"

### host C
### OS: FreeBSD4.2-RELEASE
### the results of ifconfig, netstat.

# ifconfig -au
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
        inet 10.99.30.1 netmask 0xffffff00 
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 172.16.5.3 netmask 0xfffff00 broadcast 252.16.5.255
        inet6 fe80::200:f4ff:fe42:b5a0%ed1 prefixlen 64 scopeid 0xa 
        inet 10.10.10.3 netmask 0xffffff00 broadcast 10.10.10.255
        ether 00:00:f4:42:b5:a0 

# netstat -nrf inet
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
10.10.10/24        link#10            UC          0        0      ed1 =>
10.10.10.1         0:60:8:89:b0:29    UHLW        1        1      ed1    382
10.99.10/24        10.99.30.1         UGSc        0   681290      lo0
10.99.30.1         10.99.30.1         UH          1        0      lo0
12.16.5&0xfffff00  link#10            UC          0        0      ed1 =>
127.0.0.1          127.0.0.1          UH          0        0      lo0

# netstat -p ipsec
ipsec:
        681184 inbound packets processed successfully
        0 inbound packets violated process security policy
        0 inbound packets with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        ESP input histogram:
                simple: 681184
        681290 outbound packets processed successfully
        0 outbound packets violated process security policy
        0 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                simple: 681290


--NextPart-20010424040326-0118601--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424040539N.sakane>