From owner-freebsd-current@FreeBSD.ORG  Sat Sep 25 20:22:25 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9EF8D16A4CF
	for <freebsd-current@freebsd.org>;
	Sat, 25 Sep 2004 20:22:25 +0000 (GMT)
Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3])
	by mx1.FreeBSD.org (Postfix) with SMTP id 75C4943D2F
	for <freebsd-current@freebsd.org>;
	Sat, 25 Sep 2004 20:22:24 +0000 (GMT)
	(envelope-from nike_d@cytexbg.com)
Received: (qmail 40711 invoked from network); 25 Sep 2004 20:22:22 -0000
Received: from nike_d@cytexbg.com by keeper.interbgc.com by uid 1002 with
	qmail-scanner-1.14 
	(uvscan: v4.2.40/v4374. spamassassin: 2.63.  Clear:SA:0(-4.9/8.0):. 
	Processed in 1.131697 secs); 25 Sep 2004 20:22:22 -0000
X-Spam-Status: No, hits=-4.9 required=8.0
Received: from 213-240-202-139.1697748.ddns.cablebg.net (HELO
	tormentor.totalterror.net) (213.240.202.139)
	by mail.interbgc.com with SMTP; 25 Sep 2004 20:22:21 -0000
Received: (qmail 20409 invoked from network); 25 Sep 2004 20:20:26 -0000
Received: from unknown (HELO phobos.totalterror.net) (10.10.0.2)
  by tormentor.totalterror.net with SMTP; 25 Sep 2004 20:20:26 -0000
References: <Pine.NEB.3.96L.1040925150944.79682C-100000@fledge.watson.org>
Message-ID: <cone.1096143756.575691.642.1001@phobos.totalterror.net>
X-Mailer: http://www.courier-mta.org/cone/
From: Niki Denev <nike_d@cytexbg.com>
To: Robert Watson <rwatson@freebsd.org>
Date: Sat, 25 Sep 2004 23:22:36 +0300
Mime-Version: 1.0
Content-Type: multipart/signed;
    boundary="=_mimegpg-phobos.totalterror.net-642-1096143756-0001";
    micalg=pgp-sha1; protocol="application/pgp-signature"
cc: freebsd-current@freebsd.org
Subject: Re: 5.3 IPSEC broken
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2004 20:22:25 -0000

This is a MIME GnuPG-signed message.  If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.

--=_mimegpg-phobos.totalterror.net-642-1096143756-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Robert Watson writes:

> On Sat, 25 Sep 2004, Robert Watson wrote:
> 
>> On Sat, 25 Sep 2004, Hannes Mehnert wrote:
>> 
>> > On Fri, Sep 24, 2004 at 10:58:33PM -0400, Robert Watson wrote:
>> > > I'd like to take a look at this sometime in the next few days.  Could you
>> > > send me an appropriately censored version of your racoon configuration for
>> > > each endpoint that I can use as a starting point?
>> > 
>> > Sure, my config files are available at https://berlin.ccc.de/~hannes/racoon/
>> > 
>> > I use a /30 subnet for IPSec, 192.168.2.40/30.
>> 
>> So an interesting first observation for anyone else following this is
>> that under mbuma, the number of bytes available in an mbuf has changed
>> by four due (presumably) to the use of extra space by mbuma: 
> 
> A bit more follow-up in case anyone else starts chasing this also: ktrace
> indicates that it's this sendto:
> 
>    621 racoon   GIO   fd 3 wrote 108 bytes     
>        "<31>Sep 25 15:03:37 racoon: 2004-09-25 15:03:37: DEBUG:
> pfkey.c:1061:p\
>         k_sendupdate(): call pfkey_send_update"
>    621 racoon   RET   sendto 108/0x6c
>    621 racoon   CALL  getpid
>    621 racoon   RET   getpid 621/0x26d
>    621 racoon   CALL  sendto(0x4,0x809c800,0xd8,0,0,0)
>    621 racoon   RET   sendto -1 errno 55 No buffer space available
>    621 racoon   CALL  gettimeofday(0xbfbfe818,0)
>    621 racoon   RET   gettimeofday 0
>    621 racoon   CALL  write(0x1,0x80a2000,0x72)
>    621 racoon   GIO   fd 1 wrote 114 bytes
>        "2004-09-25 15:03:38: ERROR: pfkey.c:1076:pk_sendupdate(): libipsec
> fai\
>         led send update (No buffer space available)
> 
> That's a 216 byte packet, fwiw.  I instrumented key.c and ran into the
> following ENOBUFS case on key.c:6957:
> 
>         /* align the mbuf chain so that extensions are in contiguous region. */
>         error = key_align(m, &mh);
>         if (error)
>                 return error;
>  
>         if (m->m_next) {        /*XXX*/
>                 m_freem(m);
>                 return ENOBUFS;
>         }
> 
> I.e., the author knew it was a bug (feature) that an additional mbuf
> couldn't be handled here, but we do need to handle one.  Looks like much
> of the surrounding code could be replaced with a call to m_defrag() and/or
> m_pullup().
> 
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> robert@fledge.watson.org      Principal Research Scientist, McAfee Research
> 

Just to mention that i too experience this problem,
but with FAST_IPSEC so this probably means that if any fix will be made for 
netkey/key.c then netipsec/key.c will need it too.(as far as i can tell)
Please correct me if i'm wrong.

--niki


--=_mimegpg-phobos.totalterror.net-642-1096143756-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD4DBQBBVdOMHNAJ/fLbfrkRAq3jAJjX+rOEG7t1aKEOrNKhJikVX6afAJ43CTTm
svHbJkE6MkRzVeo1d8ubVw==
=V/RR
-----END PGP SIGNATURE-----

--=_mimegpg-phobos.totalterror.net-642-1096143756-0001--