From owner-freebsd-current@FreeBSD.ORG  Sat Sep 25 17:39:57 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7046516A4CE
	for <freebsd-current@freebsd.org>;
	Sat, 25 Sep 2004 17:39:57 +0000 (GMT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1ED4C43D41
	for <freebsd-current@freebsd.org>;
	Sat, 25 Sep 2004 17:39:57 +0000 (GMT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i8PHd82X079859;
	Sat, 25 Sep 2004 13:39:08 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i8PHd8tt079856;
	Sat, 25 Sep 2004 13:39:08 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sat, 25 Sep 2004 13:39:08 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Hannes Mehnert <hannes@mehnert.org>
In-Reply-To: <20040925145534.GD5307@mehnert.org>
Message-ID: <Pine.NEB.3.96L.1040925133727.79682B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-current@freebsd.org
Subject: Re: 5.3 IPSEC broken
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2004 17:39:57 -0000


On Sat, 25 Sep 2004, Hannes Mehnert wrote:

> On Fri, Sep 24, 2004 at 10:58:33PM -0400, Robert Watson wrote:
> > I'd like to take a look at this sometime in the next few days.  Could you
> > send me an appropriately censored version of your racoon configuration for
> > each endpoint that I can use as a starting point?
> 
> Sure, my config files are available at https://berlin.ccc.de/~hannes/racoon/
> 
> I use a /30 subnet for IPSec, 192.168.2.40/30.

So an interesting first observation for anyone else following this is that
under mbuma, the number of bytes available in an mbuf has changed by four
due (presumably) to the use of extra space by mbuma:

4.x:

 MSIZE:     256
 MLEN:      236
 MHLEN:     212
 MINCLSIZE: 213
 sizeof(struct m_hdr):  20
 sizeof(struct pkthdr): 24

5.x:
 MSIZE:     256
 MLEN:      232
 MHLEN:     208
 MINCLSIZE: 209
 sizeof(struct m_hdr):  24
 sizeof(struct pkthdr): 24

So presumably something in pfkey was carefully (or accidentally) designed
to assume that some object/content would fit in MLEN or MHLEN that no
longer does.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Principal Research Scientist, McAfee Research