Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Mar 2008 17:01:22 -0700
From:      "Cyrus Rahman" <crahman@gmail.com>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipv6 + ah + esp
Message-ID:  <9e77bdb50803041601r9f687bfpe164f1b7b7d02719@mail.gmail.com>
In-Reply-To: <20080304152255.M50685@maildrop.int.zabbadoz.net>
References:  <9e77bdb50803040649u1876d8d4l9f2b7a4cef5c4b5@mail.gmail.com> <20080304152255.M50685@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
>  > Is there a known problem running ah+esp on ip6?  I can set up an
>  > association and run ah+esp just fine on ip4,
>  > and ah or esp work well by themselves in ip6, but I've had no luck
>  > with combining them on ip6.
>
>  22 is EINVAL.
>
>  The same error message is there twice in sys/netinet6/ip6_output.c
>  (search for "(ipsec)" w/o the "").
>
>  Could you alter them so we can tell them apart, recompile the kernel
>  and file a PR with this information and whether it is the printf after
>  ipsec6_output_trans or after ipsec6_output_tunnel.

In this case, because I'm using transport mode, it's in
ipsec6_output_trans, but the problem would occur in either case.

Looking in in ipsec_output.c, ipsec_process_done(), the problem is this
dodgy bit of code:

        /*
         * If there's another (bundled) SA to apply, do so.
         * Note that this puts a burden on the kernel stack size.
         * If this is a problem we'll need to introduce a queue
         * to set the packet on so we can unwind the stack before
         * doing further processing.
         */
        if (isr->next) {
                ipsec4stat.ips_out_bundlesa++;
                return ipsec4_process_packet(m, isr->next, 0, 0);
        }

which works great for ipv4 but not so well in the other case.

Actually, there's another problem in the new ipsec, which is that the
refcnt for security associations gets incremented each time a packet
traverses the code.  So when you tear an association down you have to
wait hours for it to be deleted, since it only decrements once each
second.  This only happens in ipv6 too, ipv4 works fine.

I'll file a pr.

Thanks!
Cyrus

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e77bdb50803041601r9f687bfpe164f1b7b7d02719>